From 218ad006af33cd4b532df2ca44ecdd71c83648c9 Mon Sep 17 00:00:00 2001
From: Andrew Dryga <andrew@dryga.com>
Date: Mon, 16 Jan 2023 13:04:59 -0600
Subject: [PATCH] Revisit Users context, cover UI with e2e tests and introduce
 first AuditLog features (#1267)

1. `auto_create_users` default value is removed. We want to avoid
situations when admins integrate OIDC/SAML providers and don't expect
anyone that has access to it to automatically gain access to VPN, which
is especially critical for providers like Google Workspace, where all
employees typically have access.
2. OpenID library was completely rewritten and a new version is
integrated. It will allow async tests and better scales for the cloud
version of the panel.
3. `Mox` was removed, we don't test modules by overriding them to
prevent breaking changes that tests can't capture.
4. Deps are reordered and unused ones are removed.
5. Browser/e2e tests are added to ensure we won't break UI features in
the future, allowing for front-end refactoring.
6. Users context was overhauled for better code clarity.
---
 .credo.exs                                    |   3 +-
 .formatter.exs                                |  16 +-
 .github/workflows/test.yml                    | 136 ++++
 apps/fz_common/.formatter.exs                 |   9 +
 apps/fz_common/lib/fz_crypto.ex               |  11 +-
 apps/fz_common/mix.exs                        |   7 +-
 apps/fz_http/.formatter.exs                   |  18 +
 apps/fz_http/assets/js/live_view.js           |   4 +-
 apps/fz_http/lib/fz_http.ex                   |  13 +
 apps/fz_http/lib/fz_http/application.ex       |  12 +-
 apps/fz_http/lib/fz_http/configurations.ex    |  40 +-
 .../fz_http/configurations/configuration.ex   |  14 +-
 .../configuration/openid_connect_provider.ex  |  21 +-
 .../configuration/saml_identity_provider.ex   |  18 +-
 apps/fz_http/lib/fz_http/devices.ex           |   4 +-
 apps/fz_http/lib/fz_http/devices/device.ex    |  26 +-
 .../lib/fz_http/devices/device/query.ex       |  16 +-
 apps/fz_http/lib/fz_http/events.ex            |   4 +-
 apps/fz_http/lib/fz_http/oidc/refresher.ex    |  31 +-
 apps/fz_http/lib/fz_http/oidc/start_proxy.ex  |  55 --
 apps/fz_http/lib/fz_http/oidc/supervisor.ex   |   0
 apps/fz_http/lib/fz_http/release.ex           |  18 +-
 apps/fz_http/lib/fz_http/repo.ex              |  20 +-
 apps/fz_http/lib/fz_http/telemetry.ex         |   2 +-
 apps/fz_http/lib/fz_http/users.ex             | 314 +++-----
 .../lib/fz_http/users/password_helpers.ex     |  43 -
 apps/fz_http/lib/fz_http/users/user.ex        | 123 +--
 .../lib/fz_http/users/user/changeset.ex       |  68 ++
 apps/fz_http/lib/fz_http/users/user/query.ex  |  45 ++
 .../{validators/common.ex => validator.ex}    |  96 ++-
 .../lib/fz_http/validators/openid_connect.ex  |  21 -
 apps/fz_http/lib/fz_http/validators/saml.ex   |  21 -
 .../fz_http_web/auth/html/authentication.ex   |  20 +-
 .../fz_http_web/auth/json/authentication.ex   |   2 +-
 .../channels/notification_channel.ex          |  25 +-
 .../lib/fz_http_web/controller_helpers.ex     |   4 +
 .../controllers/auth_controller.ex            |  69 +-
 .../controllers/json/user_controller.ex       |  32 +-
 .../controllers/user_controller.ex            |   2 +-
 apps/fz_http/lib/fz_http_web/endpoint.ex      |   3 +-
 .../live/device_live/admin/show_live.ex       |   2 +-
 .../device_live/unprivileged/show_live.ex     |   2 +-
 .../live/hooks/allow_ecto_sandbox.ex          |   6 +
 .../live/mfa_live/register_steps_component.ex |   3 +-
 .../live/setting_live/account.html.heex       |   2 +-
 .../setting_live/account_form_component.ex    |   2 +-
 .../account_form_component.html.heex          |  15 -
 .../live/setting_live/account_live.ex         |   4 +-
 .../live/setting_live/security.html.heex      |   4 +
 .../setting_live/show_api_token_component.ex  |   2 +-
 .../live/user_live/form_component.ex          |   2 +-
 .../live/user_live/form_component.html.heex   |   5 +-
 .../fz_http_web/live/user_live/index_live.ex  |   4 +-
 .../fz_http_web/live/user_live/show_live.ex   |   8 +-
 .../user_live/vpn_connection_component.ex     |   1 +
 apps/fz_http/lib/fz_http_web/live_helpers.ex  |   4 +-
 .../lib/fz_http_web/mailer/auth_email.ex      |   2 +-
 apps/fz_http/lib/fz_http_web/oidc/helpers.ex  |   9 -
 .../fz_http_web/{channels => }/presence.ex    |   0
 apps/fz_http/lib/fz_http_web/router.ex        |  22 +-
 apps/fz_http/lib/fz_http_web/sandbox.ex       |  41 +
 .../{channels => sockets}/user_socket.ex      |  36 +-
 .../fz_http/lib/fz_http_web/user_from_auth.ex |  18 +-
 .../lib/fz_http_web/views/error_view.ex       |   4 +
 apps/fz_http/mix.exs                          |  88 +-
 ...104000803_add_users_sign_in_token_hash.exs |  10 +
 ...104181853_change_users_email_to_citext.exs |  11 +
 .../connectivity_check_service_test.exs       |   1 -
 apps/fz_http/test/fz_http/devices_test.exs    |   2 +-
 .../test/fz_http/oidc/refresher_test.exs      |  41 +-
 apps/fz_http/test/fz_http/release_test.exs    |   7 +-
 apps/fz_http/test/fz_http/telemetry_test.exs  |  13 +-
 apps/fz_http/test/fz_http/users_test.exs      | 754 +++++++++++-------
 .../fz_http_web/acceptance/admin_test.exs     | 673 ++++++++++++++++
 .../acceptance/authentication_test.exs        | 414 ++++++++++
 .../acceptance/unprivileged_user_test.exs     | 166 ++++
 .../channels/notification_channel_test.exs    |  22 +-
 .../controllers/auth_controller_test.exs      | 126 +--
 .../controllers/json/user_controller_test.exs |  38 +-
 .../controllers/user_controller_test.exs      |   2 +-
 .../live/setting_live/account_test.exs        |   7 +-
 .../live/setting_live/security_test.exs       |   9 +-
 .../unprivileged/account_test.exs             |   9 +-
 .../fz_http_web/live/user_live/index_test.exs |   6 +-
 .../fz_http_web/live/user_live/show_test.exs  |   2 +-
 .../mailer_test/auth_email_test.exs           |  28 -
 .../test/fz_http_web/user_from_auth_test.exs  |  28 +-
 apps/fz_http/test/support/acceptance_case.ex  | 297 +++++++
 .../test/support/acceptance_case/auth.ex      |  91 +++
 .../test/support/acceptance_case/vault.ex     | 113 +++
 apps/fz_http/test/support/data_case.ex        |   3 +-
 .../fixtures/configurations_fixtures.ex       | 122 ++-
 .../test/support/fixtures/devices_fixtures.ex |  13 +
 .../test/support/fixtures/users_fixtures.ex   |  43 +-
 .../test/support/mocks/openid_connect.ex      |   9 -
 apps/fz_http/test/support/test_helpers.ex     |   3 +-
 apps/fz_http/test/test_helper.exs             |   7 +-
 apps/fz_vpn/.formatter.exs                    |   9 +
 apps/fz_vpn/lib/fz_vpn/application.ex         |   8 +-
 apps/fz_vpn/mix.exs                           |   2 -
 apps/fz_wall/.formatter.exs                   |   9 +
 apps/fz_wall/lib/fz_wall/application.ex       |   2 +-
 apps/fz_wall/mix.exs                          |   4 +-
 config/config.exs                             |   3 +-
 config/runtime.exs                            |   2 +-
 config/test.exs                               |  15 +-
 docker-compose.yml                            |   3 +-
 mix.exs                                       |  17 +-
 mix.lock                                      |  16 +-
 109 files changed, 3503 insertions(+), 1329 deletions(-)
 create mode 100644 apps/fz_common/.formatter.exs
 create mode 100644 apps/fz_http/.formatter.exs
 delete mode 100644 apps/fz_http/lib/fz_http/oidc/start_proxy.ex
 create mode 100644 apps/fz_http/lib/fz_http/oidc/supervisor.ex
 delete mode 100644 apps/fz_http/lib/fz_http/users/password_helpers.ex
 create mode 100644 apps/fz_http/lib/fz_http/users/user/changeset.ex
 create mode 100644 apps/fz_http/lib/fz_http/users/user/query.ex
 rename apps/fz_http/lib/fz_http/{validators/common.ex => validator.ex} (51%)
 delete mode 100644 apps/fz_http/lib/fz_http/validators/openid_connect.ex
 delete mode 100644 apps/fz_http/lib/fz_http/validators/saml.ex
 create mode 100644 apps/fz_http/lib/fz_http_web/live/hooks/allow_ecto_sandbox.ex
 delete mode 100644 apps/fz_http/lib/fz_http_web/oidc/helpers.ex
 rename apps/fz_http/lib/fz_http_web/{channels => }/presence.ex (100%)
 create mode 100644 apps/fz_http/lib/fz_http_web/sandbox.ex
 rename apps/fz_http/lib/fz_http_web/{channels => sockets}/user_socket.ex (91%)
 create mode 100644 apps/fz_http/priv/repo/migrations/20230104000803_add_users_sign_in_token_hash.exs
 create mode 100644 apps/fz_http/priv/repo/migrations/20230104181853_change_users_email_to_citext.exs
 create mode 100644 apps/fz_http/test/fz_http_web/acceptance/admin_test.exs
 create mode 100644 apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs
 create mode 100644 apps/fz_http/test/fz_http_web/acceptance/unprivileged_user_test.exs
 delete mode 100644 apps/fz_http/test/fz_http_web/mailer_test/auth_email_test.exs
 create mode 100644 apps/fz_http/test/support/acceptance_case.ex
 create mode 100644 apps/fz_http/test/support/acceptance_case/auth.ex
 create mode 100644 apps/fz_http/test/support/acceptance_case/vault.ex
 delete mode 100644 apps/fz_http/test/support/mocks/openid_connect.ex
 create mode 100644 apps/fz_vpn/.formatter.exs
 create mode 100644 apps/fz_wall/.formatter.exs

diff --git a/.credo.exs b/.credo.exs
index b91764922..f23eb309c 100644
--- a/.credo.exs
+++ b/.credo.exs
@@ -83,7 +83,7 @@
           # Priority values are: `low, normal, high, higher`
           #
           {Credo.Check.Design.AliasUsage,
-           [priority: :low, if_nested_deeper_than: 2, if_called_more_often_than: 2]},
+           [priority: :low, if_nested_deeper_than: 5, if_called_more_often_than: 6]},
           # You can also customize the exit_status of each check.
           # If you don't want TODO comments to cause `mix credo` to fail, just
           # set this value to 0 (zero).
@@ -112,7 +112,6 @@
           {Credo.Check.Readability.TrailingWhiteSpace, []},
           {Credo.Check.Readability.UnnecessaryAliasExpansion, []},
           {Credo.Check.Readability.VariableNames, []},
-          {Credo.Check.Readability.WithSingleClause, []},
 
           #
           ## Refactoring Opportunities
diff --git a/.formatter.exs b/.formatter.exs
index 2ded1cba3..e72b167e6 100644
--- a/.formatter.exs
+++ b/.formatter.exs
@@ -1,17 +1,7 @@
-# Used by "mix format"
 [
-  import_deps: [
-    :ecto,
-    :phoenix
-  ],
+  subdirectories: ["apps/*"],
   inputs: [
-    "*.{heex,ex,exs}",
-    "{config,priv}/**/*.{heex,ex,exs}",
-    "apps/{fz_vpn,fz_wall}/**/*.{heex,ex,exs}",
-    "apps/fz_http/*.exs",
-    "apps/fz_http/{lib,test,priv}/**/*.{heex,ex,exs}"
-  ],
-  plugins: [
-    Phoenix.LiveView.HTMLFormatter
+    "*.{ex,exs}",
+    "{config,priv}/**/*.{ex,exs}"
   ]
 ]
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4e877d8a5..b4fcb50fb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,11 +54,147 @@ jobs:
           key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/mix.lock') }}
       - name: Install Dependencies
         run: mix deps.get --only $MIX_ENV
+      - name: Compile Dependencies
+        run: mix deps.compile --skip-umbrella-children
+      - name: Compile Application
+        run: mix compile
       - name: Setup Database
         run: |
           mix ecto.create
           mix ecto.migrate
       - name: Run Tests and Upload Coverage Report
+        env:
+          E2E_MAX_WAIT_SECONDS: 20
         run: |
           # XXX: This can fail when coveralls is down
           mix coveralls.github --umbrella
+      - name: Test Report
+        uses: dorny/test-reporter@v1
+        if: success() || failure()
+        with:
+          name: Elixir Unit Test Report
+          path: _build/test/lib/*/test-junit-report.xml
+          reporter: java-junit
+  acceptance-test:
+    runs-on: ubuntu-latest
+    env:
+      MIX_ENV: test
+      POSTGRES_HOST: localhost
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      MIX_TEST_PARTITIONS: 4
+    strategy:
+      fail-fast: false
+      matrix:
+        MIX_TEST_PARTITION: [1, 2, 3, 4]
+    services:
+      postgres:
+        image: postgres:15
+        ports:
+          - 5432:5432
+        env:
+          POSTGRES_USER: postgres
+          POSTGRES_PASSWORD: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+      vault:
+        image: vault:1.12.2
+        env:
+          VAULT_ADDR: 'http://127.0.0.1:8200'
+          VAULT_DEV_ROOT_TOKEN_ID: 'firezone'
+        ports:
+          - 8200:8200/tcp
+        options:
+          --cap-add=IPC_LOCK
+    steps:
+      - uses: nanasess/setup-chromedriver@v1
+        with:
+          chromedriver-version: '108.0.5359.71'
+      - run: |
+          export DISPLAY=:99
+          chromedriver --url-base=/wd/hub &
+          sudo Xvfb -ac :99 -screen 0 1280x1024x24 > /dev/null 2>&1 &
+      - name: Install package dependencies
+        run: |
+          sudo apt-get install -q -y \
+            net-tools \
+            wireguard
+      - uses: actions/checkout@v3
+      - uses: erlef/setup-beam@v1
+        with:
+          otp-version: '25'
+          elixir-version: '1.14'
+      - uses: actions/cache@v3
+        name: Elixir Deps Cache
+        env:
+          cache-name: cache-elixir-deps
+        with:
+          path: deps
+          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/mix.lock') }}
+          restore-keys: |
+            ${{ runner.os }}-${{ env.cache-name }}-
+      - uses: actions/cache@v3
+        name: Elixir Build Cache
+        env:
+          cache-name: cache-elixir-build
+        with:
+          path: _build
+          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/mix.lock') }}
+      - uses: actions/cache@v3
+        name: Yarn Deps Cache
+        env:
+          cache-name: cache-yarn-build
+        with:
+          path: apps/fz_http/assets/node_modules
+          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+      - uses: actions/cache@v3
+        name: Assets Cache
+        env:
+          cache-name: cache-assets-build
+        with:
+          path: apps/fz_http/priv/static/dist
+          key: ${{ runner.os }}-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
+      - name: Install Dependencies
+        run: mix deps.get --only $MIX_ENV
+      - name: Compile Dependencies
+        run: mix deps.compile --skip-umbrella-children
+      - name: Compile Application
+        run: mix compile
+      - name: Install Node Dependencies
+        run: |
+          cd apps/fz_http/assets
+          yarn install --frozen-lockfile
+      - name: Build Assets
+        run: |
+          cd apps/fz_http/assets
+          yarn deploy
+      - name: Setup Database
+        run: |
+          mix ecto.create
+          mix ecto.migrate
+      - name: Run Tests and Upload Coverage Report
+        env:
+          MIX_TEST_PARTITION: ${{ matrix.MIX_TEST_PARTITION }}
+          E2E_MAX_WAIT_SECONDS: 20
+        run: |
+          mix test --only acceptance:true \
+                   --partitions=${{ env.MIX_TEST_PARTITIONS }} \
+                   --no-compile \
+                   --no-archives-check \
+                   --no-deps-check \
+              || mix test --failed
+      - name: Save Screenshots
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: screenshots
+          path: apps/fz_http/screenshots
+      - name: Test Report
+        uses: dorny/test-reporter@v1
+        if: success() || failure()
+        with:
+          name: Elixir Acceptance Test Report
+          path: _build/test/lib/*/test-junit-report.xml
+          reporter: java-junit
diff --git a/apps/fz_common/.formatter.exs b/apps/fz_common/.formatter.exs
new file mode 100644
index 000000000..7f9277b11
--- /dev/null
+++ b/apps/fz_common/.formatter.exs
@@ -0,0 +1,9 @@
+[
+  locals_without_parens: [],
+  import_deps: [],
+  inputs: [
+    "*.{ex,exs}",
+    "{lib,test,priv}/**/*.{ex,exs}"
+  ],
+  plugins: []
+]
diff --git a/apps/fz_common/lib/fz_crypto.ex b/apps/fz_common/lib/fz_crypto.ex
index db9cc362b..c657fc8c7 100644
--- a/apps/fz_common/lib/fz_crypto.ex
+++ b/apps/fz_common/lib/fz_crypto.ex
@@ -1,8 +1,4 @@
 defmodule FzCommon.FzCrypto do
-  @moduledoc """
-  Utilities for working with crypto functions
-  """
-
   @wg_psk_length 32
 
   def psk do
@@ -20,6 +16,7 @@ defmodule FzCommon.FzCrypto do
 
   defp rand_base64(length, :url) do
     :crypto.strong_rand_bytes(length)
+    # XXX: we want to add `padding: false` to shorten URLs
     |> Base.url_encode64()
   end
 
@@ -27,4 +24,10 @@ defmodule FzCommon.FzCrypto do
     :crypto.strong_rand_bytes(length)
     |> Base.encode64()
   end
+
+  def hash(value), do: Argon2.hash_pwd_salt(value)
+
+  def equal?(token, hash) when is_nil(token) or is_nil(hash), do: Argon2.no_user_verify()
+  def equal?(token, hash) when token == "" or hash == "", do: Argon2.no_user_verify()
+  def equal?(token, hash), do: Argon2.verify_pass(token, hash)
 end
diff --git a/apps/fz_common/mix.exs b/apps/fz_common/mix.exs
index 7eb9a65b9..3b96d9522 100644
--- a/apps/fz_common/mix.exs
+++ b/apps/fz_common/mix.exs
@@ -32,12 +32,9 @@ defmodule FzCommon.MixProject do
   defp deps do
     [
       {:file_size, "~> 3.0.1"},
+      {:cidr, github: "firezone/cidr-elixir"},
       {:posthog, "~> 0.1"},
-      {:jason, "~> 1.2"},
-      {:cidr, github: "firezone/cidr-elixir"}
-      # {:dep_from_hexpm, "~> 0.3.0"},
-      # {:dep_from_git, git: "https://github.com/elixir-lang/my_dep.git", tag: "0.1.0"},
-      # {:sibling_app_in_umbrella, in_umbrella: true}
+      {:argon2_elixir, "~> 2.0"}
     ]
   end
 end
diff --git a/apps/fz_http/.formatter.exs b/apps/fz_http/.formatter.exs
new file mode 100644
index 000000000..ae02b79cd
--- /dev/null
+++ b/apps/fz_http/.formatter.exs
@@ -0,0 +1,18 @@
+[
+  locals_without_parens: [
+    assert_authenticated: 2,
+    assert_unauthenticated: 1
+  ],
+  import_deps: [
+    :ecto,
+    :phoenix,
+    :phoenix_live_view
+  ],
+  inputs: [
+    "*.{heex,ex,exs}",
+    "{lib,test,priv}/**/*.{heex,ex,exs}"
+  ],
+  plugins: [
+    Phoenix.LiveView.HTMLFormatter
+  ]
+]
diff --git a/apps/fz_http/assets/js/live_view.js b/apps/fz_http/assets/js/live_view.js
index 1ed31568c..fb3c8f2a1 100644
--- a/apps/fz_http/assets/js/live_view.js
+++ b/apps/fz_http/assets/js/live_view.js
@@ -20,8 +20,7 @@ const channelToken = document
   .getAttribute("content")
 const notificationChannel =
   userSocket.channel("notification:session", {
-    token: channelToken,
-    user_agent: window.navigator.userAgent
+    token: channelToken
   })
 
 // LiveView setup
@@ -71,3 +70,4 @@ notificationChannel.join()
 // >> liveSocket.enableLatencySim(1000)
 
 window.liveSocket = liveSocket
+window.userSocket = userSocket
diff --git a/apps/fz_http/lib/fz_http.ex b/apps/fz_http/lib/fz_http.ex
index 913700aa9..481a2438e 100644
--- a/apps/fz_http/lib/fz_http.ex
+++ b/apps/fz_http/lib/fz_http.ex
@@ -12,6 +12,19 @@ defmodule FzHttp do
     end
   end
 
+  def changeset do
+    quote do
+      import Ecto.Changeset
+      import FzHttp.Validator
+    end
+  end
+
+  def query do
+    quote do
+      import Ecto.Query
+    end
+  end
+
   @doc """
   When used, dispatch to the appropriate schema/context/changeset/query/etc.
   """
diff --git a/apps/fz_http/lib/fz_http/application.ex b/apps/fz_http/lib/fz_http/application.ex
index 45dac53b8..a7a1af5da 100644
--- a/apps/fz_http/lib/fz_http/application.ex
+++ b/apps/fz_http/lib/fz_http/application.ex
@@ -11,7 +11,7 @@ defmodule FzHttp.Application do
     # See https://hexdocs.pm/elixir/Supervisor.html
     # for other strategies and supported options
     Telemetry.fz_http_started()
-    opts = [strategy: :one_for_one, name: FzHttp.Supervisor]
+    opts = [strategy: :one_for_one, name: __MODULE__.Supervisor]
     Supervisor.start_link(children(), opts)
   end
 
@@ -31,17 +31,16 @@ defmodule FzHttp.Application do
       {Postgrex.Notifications, [name: FzHttp.Repo.Notifications] ++ FzHttp.Repo.config()},
       FzHttp.Repo.Notifier,
       FzHttp.Vault,
-      FzHttpWeb.Endpoint,
       {Phoenix.PubSub, name: FzHttp.PubSub},
       {FzHttp.Notifications, name: FzHttp.Notifications},
       FzHttpWeb.Presence,
       FzHttp.ConnectivityCheckService,
       FzHttp.TelemetryPingService,
       FzHttp.VpnSessionScheduler,
-      FzHttp.OIDC.StartProxy,
       FzHttp.SAML.StartProxy,
       {DynamicSupervisor, name: FzHttp.RefresherSupervisor, strategy: :one_for_one},
-      FzHttp.OIDC.RefreshManager
+      FzHttp.OIDC.RefreshManager,
+      FzHttpWeb.Endpoint
     ]
   end
 
@@ -50,12 +49,11 @@ defmodule FzHttp.Application do
       FzHttp.Server,
       FzHttp.Repo,
       FzHttp.Vault,
-      FzHttpWeb.Endpoint,
-      {FzHttp.OIDC.StartProxy, :test},
       {FzHttp.SAML.StartProxy, :test},
       {Phoenix.PubSub, name: FzHttp.PubSub},
       {FzHttp.Notifications, name: FzHttp.Notifications},
-      FzHttpWeb.Presence
+      FzHttpWeb.Presence,
+      FzHttpWeb.Endpoint
     ]
   end
 
diff --git a/apps/fz_http/lib/fz_http/configurations.ex b/apps/fz_http/lib/fz_http/configurations.ex
index d4896ac80..d5e847828 100644
--- a/apps/fz_http/lib/fz_http/configurations.ex
+++ b/apps/fz_http/lib/fz_http/configurations.ex
@@ -11,21 +11,44 @@ defmodule FzHttp.Configurations do
     Map.get(get_configuration!(), key)
   end
 
+  def fetch_oidc_provider_config(provider_id) do
+    get!(:openid_connect_providers)
+    |> Enum.find(&(&1.id == provider_id))
+    |> case do
+      nil ->
+        {:error, :not_found}
+
+      provider ->
+        external_url = FzHttp.Config.fetch_env!(:fz_http, :external_url)
+
+        {:ok,
+         %{
+           discovery_document_uri: provider.discovery_document_uri,
+           client_id: provider.client_id,
+           client_secret: provider.client_secret,
+           redirect_uri:
+             provider.redirect_uri || "#{external_url}/auth/oidc/#{provider.id}/callback/",
+           response_type: provider.response_type,
+           scope: provider.scope
+         }}
+    end
+  end
+
   def put!(key, val) do
-    get_configuration!()
-    |> Configuration.changeset(%{key => val})
-    |> Repo.update!()
+    configuration =
+      get_configuration!()
+      |> Configuration.changeset(%{key => val})
+      |> Repo.update!()
+
+    FzHttp.SAML.StartProxy.restart()
+
+    configuration
   end
 
   def get_configuration! do
     Repo.one!(Configuration)
   end
 
-  def get_provider_by_id(field, provider_id) do
-    FzHttp.Configurations.get!(field)
-    |> Enum.find(&(&1.id == provider_id))
-  end
-
   def auto_create_users?(field, provider_id) do
     FzHttp.Configurations.get!(field)
     |> Enum.find(&(&1.id == provider_id))
@@ -47,7 +70,6 @@ defmodule FzHttp.Configurations do
     case Repo.update(Configuration.changeset(config, attrs)) do
       {:ok, configuration} ->
         FzHttp.SAML.StartProxy.restart()
-        FzHttp.OIDC.StartProxy.restart()
 
         {:ok, configuration}
 
diff --git a/apps/fz_http/lib/fz_http/configurations/configuration.ex b/apps/fz_http/lib/fz_http/configurations/configuration.ex
index 0236c0a2e..be521ca50 100644
--- a/apps/fz_http/lib/fz_http/configurations/configuration.ex
+++ b/apps/fz_http/lib/fz_http/configurations/configuration.ex
@@ -7,7 +7,7 @@ defmodule FzHttp.Configurations.Configuration do
 
   alias FzHttp.{
     Configurations.Logo,
-    Validators.Common
+    Validator
   }
 
   @min_mtu 576
@@ -83,12 +83,12 @@ defmodule FzHttp.Configurations.Configuration do
     |> cast_embed(:saml_identity_providers,
       with: {FzHttp.Configurations.Configuration.SAMLIdentityProvider, :changeset, []}
     )
-    |> Common.trim_change(:default_client_dns)
-    |> Common.trim_change(:default_client_allowed_ips)
-    |> Common.trim_change(:default_client_endpoint)
-    |> Common.validate_no_duplicates(:default_client_dns)
-    |> Common.validate_list_of_ips_or_cidrs(:default_client_allowed_ips)
-    |> Common.validate_no_duplicates(:default_client_allowed_ips)
+    |> Validator.trim_change(:default_client_dns)
+    |> Validator.trim_change(:default_client_allowed_ips)
+    |> Validator.trim_change(:default_client_endpoint)
+    |> Validator.validate_no_duplicates(:default_client_dns)
+    |> Validator.validate_list_of_ips_or_cidrs(:default_client_allowed_ips)
+    |> Validator.validate_no_duplicates(:default_client_allowed_ips)
     |> validate_number(:default_client_mtu,
       greater_than_or_equal_to: @min_mtu,
       less_than_or_equal_to: @max_mtu
diff --git a/apps/fz_http/lib/fz_http/configurations/configuration/openid_connect_provider.ex b/apps/fz_http/lib/fz_http/configurations/configuration/openid_connect_provider.ex
index 8597b7888..c503e70c7 100644
--- a/apps/fz_http/lib/fz_http/configurations/configuration/openid_connect_provider.ex
+++ b/apps/fz_http/lib/fz_http/configurations/configuration/openid_connect_provider.ex
@@ -4,7 +4,7 @@ defmodule FzHttp.Configurations.Configuration.OpenIDConnectProvider do
   """
   use FzHttp, :schema
   import Ecto.Changeset
-  alias FzHttp.Validators
+  alias FzHttp.Validator
 
   @reserved_config_ids [
     "identity",
@@ -23,7 +23,7 @@ defmodule FzHttp.Configurations.Configuration.OpenIDConnectProvider do
     field :client_secret, :string
     field :discovery_document_uri, :string
     field :redirect_uri, :string
-    field :auto_create_users, :boolean, default: true
+    field :auto_create_users, :boolean
   end
 
   def changeset(struct \\ %__MODULE__{}, data) do
@@ -54,9 +54,22 @@ defmodule FzHttp.Configurations.Configuration.OpenIDConnectProvider do
     ])
     # Don't allow users to enter reserved config ids
     |> validate_exclusion(:id, @reserved_config_ids)
-    |> Validators.OpenIDConnect.validate_discovery_document_uri()
-    |> Validators.Common.validate_uri([
+    |> validate_discovery_document_uri()
+    |> Validator.validate_uri([
       :redirect_uri
     ])
   end
+
+  def validate_discovery_document_uri(changeset) do
+    changeset
+    |> validate_change(:discovery_document_uri, fn :discovery_document_uri, value ->
+      case OpenIDConnect.Document.fetch_document(value) do
+        {:ok, _update_result} ->
+          []
+
+        {:error, reason} ->
+          [discovery_document_uri: "is invalid. Reason: #{inspect(reason)}"]
+      end
+    end)
+  end
 end
diff --git a/apps/fz_http/lib/fz_http/configurations/configuration/saml_identity_provider.ex b/apps/fz_http/lib/fz_http/configurations/configuration/saml_identity_provider.ex
index 9317b8930..5fab12e57 100644
--- a/apps/fz_http/lib/fz_http/configurations/configuration/saml_identity_provider.ex
+++ b/apps/fz_http/lib/fz_http/configurations/configuration/saml_identity_provider.ex
@@ -4,7 +4,6 @@ defmodule FzHttp.Configurations.Configuration.SAMLIdentityProvider do
   """
   use FzHttp, :schema
   import Ecto.Changeset
-  alias FzHttp.Validators
 
   @primary_key false
   embedded_schema do
@@ -16,7 +15,7 @@ defmodule FzHttp.Configurations.Configuration.SAMLIdentityProvider do
     field :sign_metadata, :boolean, default: true
     field :signed_assertion_in_resp, :boolean, default: true
     field :signed_envelopes_in_resp, :boolean, default: true
-    field :auto_create_users, :boolean, default: true
+    field :auto_create_users, :boolean
   end
 
   def changeset(struct \\ %__MODULE__{}, data) do
@@ -38,6 +37,19 @@ defmodule FzHttp.Configurations.Configuration.SAMLIdentityProvider do
       :metadata,
       :auto_create_users
     ])
-    |> Validators.SAML.validate_metadata()
+    |> validate_metadata()
+  end
+
+  def validate_metadata(changeset) do
+    changeset
+    |> validate_change(:metadata, fn :metadata, value ->
+      try do
+        Samly.IdpData.from_xml(value, %Samly.IdpData{})
+        []
+      catch
+        :exit, e ->
+          [metadata: "is invalid. Details: #{inspect(e)}."]
+      end
+    end)
   end
 end
diff --git a/apps/fz_http/lib/fz_http/devices.ex b/apps/fz_http/lib/fz_http/devices.ex
index 868278845..62ff3f6df 100644
--- a/apps/fz_http/lib/fz_http/devices.ex
+++ b/apps/fz_http/lib/fz_http/devices.ex
@@ -120,14 +120,12 @@ defmodule FzHttp.Devices do
   end
 
   def to_peer_list do
-    vpn_duration = Configurations.vpn_duration()
-
     Repo.all(
       from d in Device,
         preload: :user
     )
     |> Enum.filter(fn device ->
-      !device.user.disabled_at && !Users.vpn_session_expired?(device.user, vpn_duration)
+      !device.user.disabled_at && !Users.vpn_session_expired?(device.user)
     end)
     |> Enum.map(fn device ->
       %{
diff --git a/apps/fz_http/lib/fz_http/devices/device.ex b/apps/fz_http/lib/fz_http/devices/device.ex
index 1ae8d9193..dc1671954 100644
--- a/apps/fz_http/lib/fz_http/devices/device.ex
+++ b/apps/fz_http/lib/fz_http/devices/device.ex
@@ -4,7 +4,7 @@ defmodule FzHttp.Devices.Device do
   """
   use FzHttp, :schema
   import Ecto.Changeset
-  alias FzHttp.Validators.Common
+  alias FzHttp.Validator
   alias FzHttp.Devices
   require Logger
 
@@ -72,8 +72,8 @@ defmodule FzHttp.Devices.Device do
   def create_changeset(attrs) do
     %__MODULE__{}
     |> cast(attrs, @fields)
-    |> Common.put_default_value(:name, &FzHttp.Devices.new_name/0)
-    |> Common.put_default_value(:preshared_key, &FzCommon.FzCrypto.psk/0)
+    |> Validator.put_default_value(:name, &FzHttp.Devices.new_name/0)
+    |> Validator.put_default_value(:preshared_key, &FzCommon.FzCrypto.psk/0)
     |> changeset()
     |> validate_max_devices()
     |> validate_required(@required_fields)
@@ -88,13 +88,13 @@ defmodule FzHttp.Devices.Device do
 
   defp changeset(changeset) do
     changeset
-    |> Common.trim_change(:allowed_ips)
-    |> Common.trim_change(:dns)
-    |> Common.trim_change(:endpoint)
-    |> Common.trim_change(:name)
-    |> Common.trim_change(:description)
-    |> Common.validate_base64(:public_key)
-    |> Common.validate_base64(:preshared_key)
+    |> Validator.trim_change(:allowed_ips)
+    |> Validator.trim_change(:dns)
+    |> Validator.trim_change(:endpoint)
+    |> Validator.trim_change(:name)
+    |> Validator.trim_change(:description)
+    |> Validator.validate_base64(:public_key)
+    |> Validator.validate_base64(:preshared_key)
     |> validate_length(:public_key, is: @key_length)
     |> validate_length(:preshared_key, is: @key_length)
     |> validate_length(:description, max: @description_max_length)
@@ -108,8 +108,8 @@ defmodule FzHttp.Devices.Device do
       persistent_keepalive
       mtu
     ]a)
-    |> Common.validate_list_of_ips_or_cidrs(:allowed_ips)
-    |> Common.validate_no_duplicates(:dns)
+    |> Validator.validate_list_of_ips_or_cidrs(:allowed_ips)
+    |> Validator.validate_no_duplicates(:dns)
     |> validate_number(:persistent_keepalive,
       greater_than_or_equal_to: 0,
       less_than_or_equal_to: 120
@@ -194,7 +194,7 @@ defmodule FzHttp.Devices.Device do
   end
 
   defp validate_omitted_if_default(changeset, fields) when is_list(fields) do
-    Common.validate_omitted(
+    Validator.validate_omitted(
       changeset,
       filter_default_fields(changeset, fields, use_default: true)
     )
diff --git a/apps/fz_http/lib/fz_http/devices/device/query.ex b/apps/fz_http/lib/fz_http/devices/device/query.ex
index 31088887c..4bd5d2e83 100644
--- a/apps/fz_http/lib/fz_http/devices/device/query.ex
+++ b/apps/fz_http/lib/fz_http/devices/device/query.ex
@@ -1,5 +1,5 @@
 defmodule FzHttp.Devices.Device.Query do
-  import Ecto.Query
+  use FzHttp, :query
 
   @doc """
   Returns IP address at given integer offset relative to start of CIDR range.
@@ -40,7 +40,7 @@ defmodule FzHttp.Devices.Device.Query do
   end
 
   def all do
-    from(device in FzHttp.Devices.Device, as: :device)
+    from(device in FzHttp.Devices.Device, as: :devices)
   end
 
   @doc """
@@ -103,13 +103,19 @@ defmodule FzHttp.Devices.Device.Query do
   end
 
   defp select_not_used_ips(queryable, network_cidr, reserved_ips) do
+    host_as_string = network_cidr.address |> :inet.ntoa() |> List.to_string()
+
     queryable
     |> where(
       [q: q],
       offset_to_ip(q.ip, ^network_cidr) not in subquery(used_ips_subquery(network_cidr))
     )
     |> where([q: q], offset_to_ip(q.ip, ^network_cidr) not in ^reserved_ips)
-    |> where([q: q], acquire_advisory_lock(q.ip) == true)
+    |> where(
+      [q: q],
+      acquire_advisory_lock(fragment("hashtext(?) + ?", ^host_as_string, q.ip)) ==
+        true
+    )
     |> select([q: q], offset_to_ip(q.ip, ^network_cidr))
   end
 
@@ -117,10 +123,10 @@ defmodule FzHttp.Devices.Device.Query do
 
   defp used_ips_subquery(queryable, %Postgrex.INET{address: address})
        when tuple_size(address) == 4 do
-    select(queryable, [device: device], device.ipv4)
+    select(queryable, [devices: devices], devices.ipv4)
   end
 
   defp used_ips_subquery(queryable, %Postgrex.INET{address: _address}) do
-    select(queryable, [device: device], device.ipv6)
+    select(queryable, [devices: devices], devices.ipv6)
   end
 end
diff --git a/apps/fz_http/lib/fz_http/events.ex b/apps/fz_http/lib/fz_http/events.ex
index 3cf31902e..9f80c2d55 100644
--- a/apps/fz_http/lib/fz_http/events.ex
+++ b/apps/fz_http/lib/fz_http/events.ex
@@ -23,7 +23,7 @@ defmodule FzHttp.Events do
           information.
           """,
           timestamp: DateTime.utc_now(),
-          user: Users.get_user!(device.user_id).email
+          user: Users.fetch_user_by_id!(device.user_id).email
         })
     end
   end
@@ -54,7 +54,7 @@ defmodule FzHttp.Events do
           information.
           """,
           timestamp: DateTime.utc_now(),
-          user: Users.get_user!(device.user_id).email
+          user: Users.fetch_user_by_id!(device.user_id).email
         })
     end
   end
diff --git a/apps/fz_http/lib/fz_http/oidc/refresher.ex b/apps/fz_http/lib/fz_http/oidc/refresher.ex
index 9180cc31f..97ed3ac9c 100644
--- a/apps/fz_http/lib/fz_http/oidc/refresher.ex
+++ b/apps/fz_http/lib/fz_http/oidc/refresher.ex
@@ -3,11 +3,8 @@ defmodule FzHttp.OIDC.Refresher do
   Worker module for refreshing OIDC connections
   """
   use GenServer, restart: :temporary
-
   import Ecto.{Changeset, Query}
-  import FzHttpWeb.OIDC.Helpers
-
-  alias FzHttp.{OIDC, OIDC.Connection, Repo, Users}
+  alias FzHttp.{Configurations, OIDC, OIDC.Connection, Repo, Users}
   require Logger
 
   def start_link(init_opts) do
@@ -36,22 +33,16 @@ defmodule FzHttp.OIDC.Refresher do
   defp do_refresh(user_id, %{provider: provider_id, refresh_token: refresh_token} = conn) do
     Logger.info("Refreshing user\##{user_id} @ #{provider_id}...")
 
-    result =
-      openid_connect().fetch_tokens(
-        provider_id,
-        %{grant_type: "refresh_token", refresh_token: refresh_token}
-      )
-
     refresh_response =
-      case result do
-        {:ok, refreshed} ->
-          refreshed
-
-        {:error, :fetch_tokens, %{body: body}} ->
-          %{error: body}
-
-        _ ->
-          %{error: "unknown error"}
+      with {:ok, config} <- Configurations.fetch_oidc_provider_config(provider_id),
+           {:ok, tokens} <-
+             OpenIDConnect.fetch_tokens(config, %{
+               grant_type: "refresh_token",
+               refresh_token: refresh_token
+             }) do
+        tokens
+      else
+        {:error, reason} -> %{error: inspect(reason)}
       end
 
     OIDC.update_connection(conn, %{
@@ -60,7 +51,7 @@ defmodule FzHttp.OIDC.Refresher do
     })
 
     with %{error: _} <- refresh_response do
-      user = Users.get_user!(user_id)
+      user = Users.fetch_user_by_id!(user_id)
 
       Logger.info("Disabling user #{user.email} due to OIDC token refresh failure...")
 
diff --git a/apps/fz_http/lib/fz_http/oidc/start_proxy.ex b/apps/fz_http/lib/fz_http/oidc/start_proxy.ex
deleted file mode 100644
index df6e7a8b9..000000000
--- a/apps/fz_http/lib/fz_http/oidc/start_proxy.ex
+++ /dev/null
@@ -1,55 +0,0 @@
-defmodule FzHttp.OIDC.StartProxy do
-  @moduledoc """
-  This proxy simply gets the relevant config at an appropriate timing
-  """
-
-  require Logger
-
-  def child_spec(arg) do
-    %{id: __MODULE__, start: {__MODULE__, :start_link, [arg]}}
-  end
-
-  def start_link(:test) do
-    :ignore
-  end
-
-  def start_link(_) do
-    FzHttp.Configurations.get!(:openid_connect_providers)
-    |> parse()
-    |> OpenIDConnect.Worker.start_link()
-  end
-
-  # XXX: Remove when configurations support test fixtures
-  if Mix.env() == :test do
-    def restart, do: :ignore
-  else
-    def restart do
-      :ok = Supervisor.terminate_child(FzHttp.Supervisor, __MODULE__)
-      Supervisor.restart_child(FzHttp.Supervisor, __MODULE__)
-    end
-  end
-
-  # Convert the configuration record to something openid_connect expects,
-  # atom-keyed configs eg. [provider: [client_id: "CLIENT_ID" ...]]
-  defp parse(nil), do: []
-
-  defp parse(auth_oidc_config) when is_list(auth_oidc_config) do
-    external_url = FzHttp.Config.fetch_env!(:fz_http, :external_url)
-
-    Enum.map(auth_oidc_config, fn provider ->
-      {
-        provider.id,
-        [
-          discovery_document_uri: provider.discovery_document_uri,
-          client_id: provider.client_id,
-          client_secret: provider.client_secret,
-          redirect_uri:
-            provider.redirect_uri || "#{external_url}/auth/oidc/#{provider.id}/callback/",
-          response_type: provider.response_type,
-          scope: provider.scope,
-          label: provider.label
-        ]
-      }
-    end)
-  end
-end
diff --git a/apps/fz_http/lib/fz_http/oidc/supervisor.ex b/apps/fz_http/lib/fz_http/oidc/supervisor.ex
new file mode 100644
index 000000000..e69de29bb
diff --git a/apps/fz_http/lib/fz_http/release.ex b/apps/fz_http/lib/fz_http/release.ex
index 34cdbfb85..d82f8e144 100644
--- a/apps/fz_http/lib/fz_http/release.ex
+++ b/apps/fz_http/lib/fz_http/release.ex
@@ -31,11 +31,11 @@ defmodule FzHttp.Release do
         change_password(email(), default_password())
         reset_role(email(), :admin)
       else
-        Users.create_admin_user(
+        Users.create_admin_user(%{
           email: email(),
           password: default_password(),
           password_confirmation: default_password()
-        )
+        })
       end
 
     # Notify the user
@@ -57,14 +57,13 @@ defmodule FzHttp.Release do
       "password_confirmation" => password
     }
 
-    {:ok, _user} =
-      Users.get_user!(email: email)
-      |> Users.admin_update_user(params)
+    {:ok, user} = Users.fetch_user_by_email(email)
+    {:ok, _user} = Users.admin_update_user(user, params)
   end
 
   def reset_role(email, role) do
-    Users.get_user!(email: email)
-    |> Users.update_user_role(role)
+    {:ok, user} = Users.fetch_user_by_email(email)
+    Users.update_user_role(user, role)
   end
 
   def repos do
@@ -80,7 +79,10 @@ defmodule FzHttp.Release do
   end
 
   defp default_admin_user do
-    Users.get_by_email(email())
+    case Users.fetch_user_by_email(email()) do
+      {:ok, user} -> user
+      {:error, :not_found} -> nil
+    end
   end
 
   defp mint_jwt(%User{} = user) do
diff --git a/apps/fz_http/lib/fz_http/repo.ex b/apps/fz_http/lib/fz_http/repo.ex
index 0e8355ed4..52c5d082b 100644
--- a/apps/fz_http/lib/fz_http/repo.ex
+++ b/apps/fz_http/lib/fz_http/repo.ex
@@ -3,5 +3,23 @@ defmodule FzHttp.Repo do
     otp_app: :fz_http,
     adapter: Ecto.Adapters.Postgres
 
-  require Logger
+  @doc """
+  Similar to `Ecto.Repo.one/2`, fetches a single result from the query.
+
+  Returns `{:ok, schema}` or `{:error, :not_found}` if no result was found.
+  Raises if there is more than one row matching the query.
+  """
+  @spec fetch(queryable :: Ecto.Queryable.t(), opts :: Keyword.t()) ::
+          {:ok, Ecto.Schema.t()} | {:error, :not_found}
+  def fetch(queryable, opts \\ []) do
+    case __MODULE__.one(queryable, opts) do
+      nil -> {:error, :not_found}
+      schema -> {:ok, schema}
+    end
+  end
+
+  @doc """
+  Alias of `Ecto.Repo.one!/2` added for naming convenience.
+  """
+  def fetch!(queryable, opts \\ []), do: __MODULE__.one!(queryable, opts)
 end
diff --git a/apps/fz_http/lib/fz_http/telemetry.ex b/apps/fz_http/lib/fz_http/telemetry.ex
index ba685ce45..73c21ae54 100644
--- a/apps/fz_http/lib/fz_http/telemetry.ex
+++ b/apps/fz_http/lib/fz_http/telemetry.ex
@@ -97,7 +97,7 @@ defmodule FzHttp.Telemetry do
     common_fields() ++
       [
         devices_active_within_24h: Devices.count_active_within(@active_device_window),
-        admin_count: Users.count(role: :admin),
+        admin_count: Users.count_by_role(:admin),
         user_count: Users.count(),
         in_docker: in_docker?(),
         device_count: Devices.count(),
diff --git a/apps/fz_http/lib/fz_http/users.ex b/apps/fz_http/lib/fz_http/users.ex
index 9641e648f..9268fbd76 100644
--- a/apps/fz_http/lib/fz_http/users.ex
+++ b/apps/fz_http/lib/fz_http/users.ex
@@ -1,140 +1,127 @@
 defmodule FzHttp.Users do
-  @moduledoc """
-  The Users context.
-  """
-
-  import Ecto.Changeset
-  import Ecto.Query, warn: false
-
-  alias FzHttp.Devices.Device
-  alias FzHttp.Repo
+  alias FzHttp.{Repo, Validator, Configurations}
   alias FzHttp.Telemetry
   alias FzHttp.Users.User
-  alias FzHttpWeb.Mailer
-
-  require Logger
-
-  # one hour
-  @sign_in_token_validity_secs 3600
+  require Ecto.Query
 
   def count do
-    Repo.one(from u in User, select: count(u.id))
+    User.Query.all()
+    |> Repo.aggregate(:count)
   end
 
-  def count(role: role) do
-    Repo.one(from u in User, select: count(u.id), where: u.role == ^role)
+  def count_by_role(role) do
+    User.Query.by_role(role)
+    |> Repo.aggregate(:count)
   end
 
-  def consume_sign_in_token(token) when is_binary(token) do
-    case find_and_clear_token(token) do
-      {:ok, {:ok, user}} -> {:ok, user}
-      {:ok, {:error, msg}} -> {:error, msg}
+  def fetch_user_by_id(id) do
+    if Validator.valid_uuid?(id) do
+      User.Query.by_id(id)
+      |> Repo.fetch()
+    else
+      {:error, :not_found}
     end
   end
 
-  def exists?(user_id) when is_nil(user_id) do
-    false
+  def fetch_user_by_id!(id) do
+    User.Query.by_id(id)
+    |> Repo.fetch!()
   end
 
-  def exists?(user_id) do
-    Repo.exists?(from u in User, where: u.id == ^user_id)
+  def fetch_user_by_email(email) do
+    User.Query.by_email(email)
+    |> Repo.fetch()
   end
 
-  def list_admins do
-    Repo.all(from User, where: [role: :admin])
-  end
-
-  def get_user!(email: email) do
-    Repo.get_by!(User, email: email)
-  end
-
-  def get_user!(id), do: Repo.get!(User, id)
-
-  def get_user(id), do: Repo.get(User, id)
-
-  def get_by_email(email) do
-    Repo.get_by(User, email: email)
-  end
-
-  def get_by_email!(email) do
-    Repo.get_by!(User, email: email)
-  end
-
-  def create_admin_user(attrs) do
-    create_user_with_role(attrs, :admin)
-  end
-
-  def create_unprivileged_user(attrs) do
-    create_user_with_role(attrs, :unprivileged)
-  end
-
-  def create_user_with_role(attrs, role) do
-    attrs
-    |> Enum.into(%{})
-    |> create_user(role: role)
-  end
-
-  def create_user(attrs, overwrites \\ []) do
-    changeset =
-      User
-      |> struct(sign_in_keys())
-      |> User.create_changeset(attrs)
-
-    result =
-      overwrites
-      |> Enum.reduce(changeset, fn {k, v}, cs -> put_change(cs, k, v) end)
-      |> Repo.insert()
-
-    case result do
-      {:ok, _user} ->
-        Telemetry.add_user()
-
-      _ ->
-        nil
+  def fetch_user_by_id_or_email(id_or_email) do
+    if Validator.valid_uuid?(id_or_email) do
+      fetch_user_by_id(id_or_email)
+    else
+      fetch_user_by_email(id_or_email)
     end
-
-    result
   end
 
-  def sign_in_keys do
-    %{
-      sign_in_token: FzCommon.FzCrypto.rand_string(),
-      sign_in_token_created_at: DateTime.utc_now()
-    }
+  def list_users(opts \\ []) do
+    {hydrate, _opts} = Keyword.pop(opts, :hydrate, [])
+
+    User.Query.all()
+    |> hydrate_fields(hydrate)
+    |> Repo.all()
   end
 
-  def admin_update_user(%User{} = user, attrs) do
+  defp hydrate_fields(queryable, []), do: queryable
+
+  defp hydrate_fields(queryable, [:device_count | rest]) do
+    queryable
+    |> User.Query.hydrate_device_count()
+    |> hydrate_fields(rest)
+  end
+
+  def request_sign_in_token(%User{} = user) do
     user
-    |> User.update_email(attrs)
-    |> User.update_role(attrs)
-    |> User.update_password(attrs)
+    |> User.Changeset.generate_sign_in_token()
     |> Repo.update()
   end
 
-  def admin_update_self(%User{} = user, attrs) do
+  def consume_sign_in_token(%User{sign_in_token_hash: nil}, _token) do
+    {:error, :no_token}
+  end
+
+  def consume_sign_in_token(%User{} = user, token) when is_binary(token) do
+    if FzCommon.FzCrypto.equal?(token, user.sign_in_token_hash) do
+      User.Query.by_id(user.id)
+      |> User.Query.where_sign_in_token_is_not_expired()
+      |> Ecto.Query.update(set: [sign_in_token_hash: nil, sign_in_token_created_at: nil])
+      |> Ecto.Query.select([users: users], users)
+      |> Repo.update_all([])
+      |> case do
+        {1, [user]} -> {:ok, user}
+        {0, []} -> {:error, :token_expired}
+      end
+    else
+      {:error, :invalid_token}
+    end
+  end
+
+  def create_admin_user(attrs) do
+    create_user(attrs, :admin)
+  end
+
+  def create_unprivileged_user(attrs) do
+    create_user(attrs, :unprivileged)
+  end
+
+  def create_user(attrs, role \\ :unprivileged) do
+    User.Changeset.create_changeset(role, attrs)
+    |> insert_user()
+  end
+
+  defp insert_user(%Ecto.Changeset{} = changeset) do
+    with {:ok, user} <- Repo.insert(changeset) do
+      Telemetry.add_user()
+      {:ok, user}
+    end
+  end
+
+  # XXX: This should go down to single function update_user(self, attrs, subject)
+  # where subject will know role of an updater and if he is updating himself.
+  def admin_update_user(%User{} = user, attrs) do
     user
-    |> User.update_email(attrs)
-    |> User.update_password(attrs)
-    |> User.require_current_password(attrs)
+    |> User.Changeset.update_user_role(attrs)
+    |> User.Changeset.update_user_email(attrs)
+    |> User.Changeset.update_user_password(attrs)
     |> Repo.update()
   end
 
   def unprivileged_update_self(%User{} = user, attrs) do
     user
-    |> User.require_password_change(attrs)
-    |> User.update_password(attrs)
+    |> User.Changeset.update_user_password(attrs)
     |> Repo.update()
   end
 
   def update_user_role(%User{} = user, role) do
     user
-    |> User.update_role(%{role: role})
-    |> Repo.update()
-  end
-
-  def update_user_sign_in_token(%User{} = user, attrs) do
-    user
-    |> User.update_sign_in_token(attrs)
+    |> User.Changeset.update_user_role(%{role: role})
     |> Repo.update()
   end
 
@@ -143,20 +130,14 @@ defmodule FzHttp.Users do
     Repo.delete(user)
   end
 
-  def change_user(%User{} = user \\ struct(User)) do
-    change(user)
-  end
-
-  def new_user do
-    change_user(%User{})
-  end
-
-  def list_users do
-    Repo.all(User)
+  # XXX: This should return real changeset not just a dummy one listing all the fields
+  def change_user(%User{} = user \\ %User{}) do
+    Ecto.Changeset.change(user)
   end
 
   def as_settings do
-    Repo.all(from u in User, select: %{id: u.id})
+    User.Query.select_id_map()
+    |> Repo.all()
     |> Enum.map(&setting_projection/1)
     |> MapSet.new()
   end
@@ -165,120 +146,35 @@ defmodule FzHttp.Users do
     user.id
   end
 
-  @doc """
-  Fetches all users and groups into an Enumerable that can be used for an HTML form input.
-  """
-  def as_options_for_select do
-    Repo.all(from u in User, select: {u.email, u.id})
-  end
-
-  def list_users(:with_device_counts) do
-    query =
-      from(
-        user in User,
-        left_join: device in Device,
-        on: device.user_id == user.id,
-        group_by: user.id,
-        select_merge: %{device_count: count(device.id)}
-      )
-
-    Repo.all(query)
-  end
-
-  def update_last_signed_in(user, %{provider: provider} = _auth) do
+  def update_last_signed_in(user, %{provider: provider}) do
     method =
       case provider do
         :identity -> "email"
-        m -> to_string(m)
+        other -> to_string(other)
       end
 
     user
-    |> User.update_last_signed_in(%{
+    |> User.Changeset.update_last_signed_in(%{
       last_signed_in_at: DateTime.utc_now(),
       last_signed_in_method: method
     })
     |> Repo.update()
   end
 
-  def enable_vpn_connection(user, %{provider: :identity}), do: user
-  def enable_vpn_connection(user, %{provider: :magic_link}), do: user
-
-  def enable_vpn_connection(user, %{provider: _oidc_provider}) do
-    user
-    |> change()
-    |> put_change(:disabled_at, nil)
-    |> Repo.update!()
+  def vpn_session_expires_at(user) do
+    DateTime.add(user.last_signed_in_at, Configurations.vpn_duration())
   end
 
-  @doc """
-  Returns DateTime that VPN sessions expire based on last_signed_in_at
-  and the security.require_auth_for_vpn_frequency setting.
-  """
-  def vpn_session_expires_at(user, duration) do
-    DateTime.add(user.last_signed_in_at, duration)
-  end
-
-  def vpn_session_expired?(user, duration) do
-    max = FzHttp.Configurations.Configuration.max_vpn_session_duration()
-
-    case duration do
-      0 ->
+  def vpn_session_expired?(user) do
+    cond do
+      is_nil(user.last_signed_in_at) ->
         false
 
-      ^max ->
-        is_nil(user.last_signed_in_at)
+      not Configurations.vpn_sessions_expire?() ->
+        false
 
-      _num ->
-        is_nil(user.last_signed_in_at) ||
-          DateTime.diff(vpn_session_expires_at(user, duration), DateTime.utc_now()) <= 0
-    end
-  end
-
-  def reset_sign_in_token(email) do
-    with %User{} = user <- Repo.get_by(User, email: email),
-         {:ok, user} <- update_user_sign_in_token(user, sign_in_keys()) do
-      Mailer.AuthEmail.magic_link(user) |> Mailer.deliver!()
-      :ok
-    else
-      nil ->
-        Logger.info("Attempt to reset password of non-existing email: #{email}")
-        :ok
-
-      {:error, _changeset} ->
-        # failed to update user, something wrong internally
-        Logger.error("Could not update user #{email} for magic link.")
-        :error
-    end
-  end
-
-  defp find_by_token(token) do
-    validity_secs = -1 * @sign_in_token_validity_secs
-    now = DateTime.utc_now()
-
-    Repo.one(
-      from(u in User,
-        where:
-          u.sign_in_token == ^token and
-            u.sign_in_token_created_at > datetime_add(^now, ^validity_secs, "second")
-      )
-    )
-  end
-
-  defp find_and_clear_token(token) do
-    Repo.transaction(fn ->
-      case find_by_token(token) do
-        nil -> {:error, "Token invalid."}
-        user -> clear_token(user)
-      end
-    end)
-  end
-
-  defp clear_token(user) do
-    result = update_user_sign_in_token(user, %{sign_in_token: nil, sign_in_token_created_at: nil})
-
-    case result do
-      {:ok, user} -> {:ok, user}
-      _ -> {:error, "Unexpected error attempting to clear sign in token."}
+      true ->
+        DateTime.diff(vpn_session_expires_at(user), DateTime.utc_now()) <= 0
     end
   end
 end
diff --git a/apps/fz_http/lib/fz_http/users/password_helpers.ex b/apps/fz_http/lib/fz_http/users/password_helpers.ex
deleted file mode 100644
index 4d1362fd2..000000000
--- a/apps/fz_http/lib/fz_http/users/password_helpers.ex
+++ /dev/null
@@ -1,43 +0,0 @@
-defmodule FzHttp.Users.PasswordHelpers do
-  @moduledoc """
-  Helpers for validating changesets with passwords
-  """
-
-  import Ecto.Changeset
-
-  def validate_password_equality(%Ecto.Changeset{valid?: true} = changeset) do
-    password = changeset.changes[:password]
-    password_confirmation = changeset.changes[:password_confirmation]
-
-    if password != password_confirmation do
-      add_error(changeset, :password, "does not match password confirmation.")
-    else
-      changeset
-    end
-  end
-
-  def validate_password_equality(changeset), do: changeset
-
-  def put_password_hash(%Ecto.Changeset{changes: %{password: password}} = changeset)
-      when password in ["", nil] do
-    changeset
-  end
-
-  def put_password_hash(
-        %Ecto.Changeset{
-          valid?: true,
-          changes: %{password: password}
-        } = changeset
-      ) do
-    changeset
-    |> put_change(:password_hash, Argon2.hash_pwd_salt(password))
-    |> delete_change(:password)
-    |> delete_change(:password_confirmation)
-  end
-
-  def put_password_hash(changeset) do
-    changeset
-    |> delete_change(:password)
-    |> delete_change(:password_confirmation)
-  end
-end
diff --git a/apps/fz_http/lib/fz_http/users/user.ex b/apps/fz_http/lib/fz_http/users/user.ex
index b64b76bb4..0eeb05490 100644
--- a/apps/fz_http/lib/fz_http/users/user.ex
+++ b/apps/fz_http/lib/fz_http/users/user.ex
@@ -1,123 +1,30 @@
 defmodule FzHttp.Users.User do
-  @moduledoc """
-  Represents a User.
-  """
   use FzHttp, :schema
-  import Ecto.Changeset
-  import FzHttp.Users.PasswordHelpers
-
-  alias FzHttp.{
-    ApiTokens.ApiToken,
-    Devices.Device,
-    OIDC.Connection,
-    Validators.Common
-  }
-
-  @min_password_length 12
-  @max_password_length 64
 
   schema "users" do
-    field :role, Ecto.Enum, values: [:unprivileged, :admin], default: :unprivileged
+    field :role, Ecto.Enum, values: [:unprivileged, :admin]
     field :email, :string
+    field :password_hash, :string
+
     field :last_signed_in_at, :utc_datetime_usec
     field :last_signed_in_method, :string
-    field :password_hash, :string
-    field :sign_in_token, :string
+
+    field :sign_in_token, :string, virtual: true, redact: true
+    field :sign_in_token_hash, :string
     field :sign_in_token_created_at, :utc_datetime_usec
-    field :disabled_at, :utc_datetime_usec
 
-    # VIRTUAL FIELDS
+    # Virtual fields
+    field :password, :string, virtual: true, redact: true
+    field :password_confirmation, :string, virtual: true, redact: true
+
+    # Virtual fields that can be hydrated
     field :device_count, :integer, virtual: true
-    field :password, :string, virtual: true
-    field :password_confirmation, :string, virtual: true
-    field :current_password, :string, virtual: true
 
-    has_many :devices, Device
-    has_many :oidc_connections, Connection
-    has_many :api_tokens, ApiToken
+    has_many :devices, FzHttp.Devices.Device
+    has_many :oidc_connections, FzHttp.OIDC.Connection
+    has_many :api_tokens, FzHttp.ApiTokens.ApiToken
 
+    field :disabled_at, :utc_datetime_usec
     timestamps()
   end
-
-  def create_changeset(user, attrs \\ %{}) do
-    user
-    |> cast(attrs, [
-      :email,
-      :password_hash,
-      :password,
-      :password_confirmation
-    ])
-    |> update_change(:email, &String.trim/1)
-    |> validate_required([:email])
-    |> validate_password_equality()
-    |> validate_length(:password, min: @min_password_length, max: @max_password_length)
-    |> validate_format(:email, ~r/@/)
-    |> unique_constraint(:email)
-    |> put_password_hash()
-  end
-
-  def require_current_password(user, attrs) do
-    user
-    |> cast(attrs, [:current_password])
-    |> validate_required([:current_password])
-    |> verify_current_password()
-  end
-
-  def update_password(user, attrs) do
-    user
-    |> cast(attrs, [:password, :password_confirmation])
-    |> then(fn
-      %{changes: %{password: _}} = changeset ->
-        validate_length(changeset, :password, min: @min_password_length, max: @max_password_length)
-
-      changeset ->
-        changeset
-    end)
-    |> validate_password_equality()
-    |> put_password_hash()
-    |> validate_required([:password_hash])
-  end
-
-  def require_password_change(user, attrs) do
-    user
-    |> cast(attrs, [:password, :password_confirmation])
-    |> validate_required([:password, :password_confirmation])
-  end
-
-  def update_email(user, attrs) do
-    user
-    |> cast(attrs, [:email])
-    |> Common.trim_change(:email)
-    |> validate_required([:email])
-    |> validate_format(:email, ~r/@/)
-  end
-
-  def update_role(user, attrs) do
-    user
-    |> cast(attrs, [:role])
-    |> validate_required([:role])
-  end
-
-  def update_sign_in_token(user, attrs) do
-    cast(user, attrs, [:sign_in_token, :sign_in_token_created_at])
-  end
-
-  def update_last_signed_in(user, attrs) do
-    cast(user, attrs, [:last_signed_in_method, :last_signed_in_at])
-  end
-
-  defp verify_current_password(
-         %Ecto.Changeset{
-           data: %{password_hash: password_hash},
-           changes: %{current_password: current_password}
-         } = changeset
-       ) do
-    if Argon2.verify_pass(current_password, password_hash) do
-      delete_change(changeset, :current_password)
-    else
-      add_error(changeset, :current_password, "invalid password")
-    end
-  end
-
-  defp verify_current_password(changeset), do: changeset
 end
diff --git a/apps/fz_http/lib/fz_http/users/user/changeset.ex b/apps/fz_http/lib/fz_http/users/user/changeset.ex
new file mode 100644
index 000000000..1da37e9f1
--- /dev/null
+++ b/apps/fz_http/lib/fz_http/users/user/changeset.ex
@@ -0,0 +1,68 @@
+defmodule FzHttp.Users.User.Changeset do
+  use FzHttp, :changeset
+  alias FzHttp.Users
+
+  @min_password_length 12
+  @max_password_length 64
+
+  def create_changeset(role, attrs) when is_atom(role) do
+    %Users.User{}
+    |> cast(attrs, ~w[
+      email
+      password
+      password_confirmation
+    ]a)
+    |> put_change(:role, role)
+    |> change_email_changeset()
+    |> validate_if_changed(:password, &change_password_changeset/1)
+  end
+
+  def update_user_password(user, attrs) do
+    user
+    |> cast(attrs, [:password])
+    |> validate_if_changed(:password, &change_password_changeset/1)
+  end
+
+  def update_user_email(user, attrs) do
+    user
+    |> cast(attrs, [:email])
+    |> validate_if_changed(:email, &change_email_changeset/1)
+  end
+
+  def update_user_role(user, attrs) do
+    user
+    |> cast(attrs, [:role])
+    |> validate_required([:role])
+  end
+
+  defp change_email_changeset(%Ecto.Changeset{} = changeset) do
+    changeset
+    |> trim_change(:email)
+    |> validate_required([:email, :role])
+    |> validate_email(:email)
+    |> unique_constraint(:email)
+  end
+
+  defp change_password_changeset(%Ecto.Changeset{} = changeset) do
+    changeset
+    |> validate_required([:password])
+    |> validate_confirmation(:password, required: true)
+    |> validate_length(:password, min: @min_password_length, max: @max_password_length)
+    |> put_hash(:password, to: :password_hash)
+    |> redact_field(:password)
+    |> redact_field(:password_confirmation)
+    |> validate_required([:password_hash])
+  end
+
+  def generate_sign_in_token(%Users.User{} = user) do
+    user
+    |> change()
+    |> put_change(:sign_in_token, FzCommon.FzCrypto.rand_string())
+    |> put_hash(:sign_in_token, to: :sign_in_token_hash)
+    |> put_change(:sign_in_token_created_at, DateTime.utc_now())
+  end
+
+  def update_last_signed_in(user, attrs) do
+    cast(user, attrs, [:last_signed_in_method, :last_signed_in_at])
+  end
+end
diff --git a/apps/fz_http/lib/fz_http/users/user/query.ex b/apps/fz_http/lib/fz_http/users/user/query.ex
new file mode 100644
index 000000000..42318e4dc
--- /dev/null
+++ b/apps/fz_http/lib/fz_http/users/user/query.ex
@@ -0,0 +1,45 @@
+defmodule FzHttp.Users.User.Query do
+  use FzHttp, :query
+
+  def all do
+    from(users in FzHttp.Users.User, as: :users)
+  end
+
+  def by_id(queryable \\ all(), id) do
+    where(queryable, [users: users], users.id == ^id)
+  end
+
+  def by_email(queryable \\ all(), email) do
+    where(queryable, [users: users], users.email == ^email)
+  end
+
+  def by_role(queryable \\ all(), role) do
+    where(queryable, [users: users], users.role == ^role)
+  end
+
+  def where_sign_in_token_is_not_expired(queryable \\ all()) do
+    queryable
+    |> where(
+      [users: users],
+      datetime_add(users.sign_in_token_created_at, 1, "hour") >= fragment("NOW()")
+    )
+  end
+
+  def select_id_map(queryable \\ all()) do
+    queryable
+    |> select([users: users], %{id: users.id})
+  end
+
+  def hydrate_device_count(queryable \\ all()) do
+    queryable
+    |> with_assoc(:devices)
+    |> group_by([users: users], users.id)
+    |> select_merge([users: users, devices: devices], %{device_count: count(devices.id)})
+  end
+
+  def with_assoc(queryable \\ all(), assoc) do
+    with_named_binding(queryable, assoc, fn query, binding ->
+      join(query, :left, [users: users], a in assoc(users, ^binding), as: ^binding)
+    end)
+  end
+end
diff --git a/apps/fz_http/lib/fz_http/validators/common.ex b/apps/fz_http/lib/fz_http/validator.ex
similarity index 51%
rename from apps/fz_http/lib/fz_http/validators/common.ex
rename to apps/fz_http/lib/fz_http/validator.ex
index 8a9a618bd..19841400e 100644
--- a/apps/fz_http/lib/fz_http/validators/common.ex
+++ b/apps/fz_http/lib/fz_http/validator.ex
@@ -1,15 +1,13 @@
-defmodule FzHttp.Validators.Common do
-  @moduledoc """
-  Shared validators to use between schemas.
+defmodule FzHttp.Validator do
+  @doc """
+  A set of changeset helpers and schema extensions to simplify our changesets and make validation more reliable.
   """
-
   import Ecto.Changeset
+  alias FzCommon.FzNet
 
-  import FzCommon.FzNet,
-    only: [
-      valid_ip?: 1,
-      valid_cidr?: 1
-    ]
+  def validate_email(changeset, field) do
+    validate_format(changeset, field, ~r/@/, message: "is invalid email address")
+  end
 
   def validate_uri(changeset, fields) when is_list(fields) do
     Enum.reduce(fields, changeset, fn field, accumulated_changeset ->
@@ -46,7 +44,7 @@ defmodule FzHttp.Validators.Common do
     validate_change(changeset, field, fn _current_field, value ->
       value
       |> split_comma_list()
-      |> Enum.find(&(not valid_ip?(&1)))
+      |> Enum.find(&(not FzNet.valid_ip?(&1)))
       |> error_if(
         &(!is_nil(&1)),
         &{field, "is invalid: #{&1} is not a valid IPv4 / IPv6 address"}
@@ -58,7 +56,7 @@ defmodule FzHttp.Validators.Common do
     validate_change(changeset, field, fn _current_field, value ->
       value
       |> split_comma_list()
-      |> Enum.find(&(not (valid_ip?(&1) or valid_cidr?(&1))))
+      |> Enum.find(&(not (FzNet.valid_ip?(&1) or FzNet.valid_cidr?(&1))))
       |> error_if(
         &(!is_nil(&1)),
         &{field, "is invalid: #{&1} is not a valid IPv4 / IPv6 address or CIDR range"}
@@ -105,6 +103,73 @@ defmodule FzHttp.Validators.Common do
     end
   end
 
+  @doc """
+  Takes value from `value_field` and puts it's hash to `hash_field`.
+  """
+  def put_hash(%Ecto.Changeset{} = changeset, value_field, to: hash_field) do
+    with {:ok, value} when is_binary(value) and value != "" <-
+           fetch_change(changeset, value_field) do
+      put_change(changeset, hash_field, FzCommon.FzCrypto.hash(value))
+    else
+      _ -> changeset
+    end
+  end
+
+  @doc """
+  Validates that value in a given `value_field` equals to hash stored in `hash_field`.
+  """
+  def validate_hash(changeset, value_field, hash_field: hash_field) do
+    with {:data, hash} <- fetch_field(changeset, hash_field) do
+      validate_change(changeset, value_field, fn value_field, token ->
+        if FzCommon.FzCrypto.equal?(token, hash) do
+          []
+        else
+          [{value_field, {"is invalid", [validation: :hash]}}]
+        end
+      end)
+    else
+      {:changes, _hash} ->
+        add_error(changeset, value_field, "can not be verified", validation: :hash)
+
+      :error ->
+        add_error(changeset, value_field, "is already verified", validation: :hash)
+    end
+  end
+
+  def validate_if_true(%Ecto.Changeset{} = changeset, field, callback)
+      when is_function(callback, 1) do
+    case fetch_field(changeset, field) do
+      {_data_or_changes, true} ->
+        callback.(changeset)
+
+      _else ->
+        changeset
+    end
+  end
+
+  def validate_if_changed(%Ecto.Changeset{} = changeset, field, callback)
+      when is_function(callback, 1) do
+    with {:ok, _value} <- fetch_change(changeset, field) do
+      callback.(changeset)
+    else
+      _ -> changeset
+    end
+  end
+
+  @doc """
+  Removes change for a given field and original value from it from `changeset.params`.
+
+  Even though `changeset.params` considered to be a private field it leaks values even
+  after they are removed from a changeset if you `inspect(struct, structs: false)` or
+  just access it directly.
+  """
+  def redact_field(%Ecto.Changeset{} = changeset, field) do
+    changeset = delete_change(changeset, field)
+    %{changeset | params: Map.drop(changeset.params, field_variations(field))}
+  end
+
+  defp field_variations(field) when is_atom(field), do: [field, Atom.to_string(field)]
+
   @doc """
   Puts the change if field is not changed or it's value is set to `nil`.
   """
@@ -126,4 +191,13 @@ defmodule FzHttp.Validators.Common do
   def trim_change(changeset, field) do
     update_change(changeset, field, &if(!is_nil(&1), do: String.trim(&1)))
   end
+
+  @doc """
+  Returns `true` when binary representation of Ecto UUID is valid, otherwise - `false`.
+  """
+  def valid_uuid?(binary) when is_binary(binary),
+    do: match?(<<_::64, ?-, _::32, ?-, _::32, ?-, _::32, ?-, _::96>>, binary)
+
+  def valid_uuid?(_binary),
+    do: false
 end
diff --git a/apps/fz_http/lib/fz_http/validators/openid_connect.ex b/apps/fz_http/lib/fz_http/validators/openid_connect.ex
deleted file mode 100644
index eb3f58839..000000000
--- a/apps/fz_http/lib/fz_http/validators/openid_connect.ex
+++ /dev/null
@@ -1,21 +0,0 @@
-defmodule FzHttp.Validators.OpenIDConnect do
-  @moduledoc """
-  Validators various fields related to OpenID Connect
-  before they're saved and passed to the underlying
-  openid_connect library where they could become an issue.
-  """
-  import Ecto.Changeset
-
-  def validate_discovery_document_uri(changeset) do
-    changeset
-    |> validate_change(:discovery_document_uri, fn :discovery_document_uri, value ->
-      case OpenIDConnect.update_documents(discovery_document_uri: value) do
-        {:ok, _update_result} ->
-          []
-
-        {:error, :update_documents, reason} ->
-          [discovery_document_uri: "is invalid. Reason: #{inspect(reason)}"]
-      end
-    end)
-  end
-end
diff --git a/apps/fz_http/lib/fz_http/validators/saml.ex b/apps/fz_http/lib/fz_http/validators/saml.ex
deleted file mode 100644
index f886ecb23..000000000
--- a/apps/fz_http/lib/fz_http/validators/saml.ex
+++ /dev/null
@@ -1,21 +0,0 @@
-defmodule FzHttp.Validators.SAML do
-  @moduledoc """
-  Validators for SAML configs.
-  """
-
-  alias Samly.IdpData
-  import Ecto.Changeset
-
-  def validate_metadata(changeset) do
-    changeset
-    |> validate_change(:metadata, fn :metadata, value ->
-      try do
-        IdpData.from_xml(value, %IdpData{})
-        []
-      catch
-        :exit, e ->
-          [metadata: "is invalid. Details: #{inspect(e)}."]
-      end
-    end)
-  end
-end
diff --git a/apps/fz_http/lib/fz_http_web/auth/html/authentication.ex b/apps/fz_http/lib/fz_http_web/auth/html/authentication.ex
index 7111b5f8e..6cae29cf5 100644
--- a/apps/fz_http/lib/fz_http_web/auth/html/authentication.ex
+++ b/apps/fz_http/lib/fz_http_web/auth/html/authentication.ex
@@ -4,15 +4,11 @@ defmodule FzHttpWeb.Auth.HTML.Authentication do
   """
   use Guardian, otp_app: :fz_http
   use FzHttpWeb, :controller
-
+  alias FzHttp.Configurations
   alias FzHttp.Telemetry
   alias FzHttp.Users
   alias FzHttp.Users.User
 
-  import FzHttpWeb.OIDC.Helpers
-
-  require Logger
-
   @guardian_token_name "guardian_default_token"
 
   @impl Guardian
@@ -22,9 +18,9 @@ defmodule FzHttpWeb.Auth.HTML.Authentication do
 
   @impl Guardian
   def resource_from_claims(%{"sub" => id}) do
-    case Users.get_user(id) do
-      nil -> {:error, :resource_not_found}
-      user -> {:ok, user}
+    case Users.fetch_user_by_id(id) do
+      {:ok, user} -> {:ok, user}
+      {:error, :not_found} -> {:error, :resource_not_found}
     end
   end
 
@@ -76,12 +72,10 @@ defmodule FzHttpWeb.Auth.HTML.Authentication do
 
   def sign_out(conn) do
     with provider_id when not is_nil(provider_id) <- Plug.Conn.get_session(conn, "login_method"),
-         provider when not is_nil(provider) <-
-           FzHttp.Configurations.get_provider_by_id(:openid_connect_providers, provider_id),
          token when not is_nil(token) <- Plug.Conn.get_session(conn, "id_token"),
-         end_session_uri when not is_nil(end_session_uri) <-
-           openid_connect().end_session_uri(provider_id, %{
-             client_id: provider.client_id,
+         {:ok, config} <- Configurations.fetch_oidc_provider_config(provider_id),
+         {:ok, end_session_uri} <-
+           OpenIDConnect.end_session_uri(config, %{
              id_token_hint: token,
              post_logout_redirect_uri: url(~p"/")
            }) do
diff --git a/apps/fz_http/lib/fz_http_web/auth/json/authentication.ex b/apps/fz_http/lib/fz_http_web/auth/json/authentication.ex
index 2983ddd97..4da5a61e4 100644
--- a/apps/fz_http/lib/fz_http_web/auth/json/authentication.ex
+++ b/apps/fz_http/lib/fz_http_web/auth/json/authentication.ex
@@ -19,7 +19,7 @@ defmodule FzHttpWeb.Auth.JSON.Authentication do
   @impl Guardian
   def resource_from_claims(%{"api" => api_token_id}) do
     with %ApiTokens.ApiToken{} = api_token <- ApiTokens.get_unexpired_api_token(api_token_id),
-         %Users.User{} = user <- Users.get_user(api_token.user_id) do
+         {:ok, %Users.User{} = user} <- Users.fetch_user_by_id(api_token.user_id) do
       {:ok, user}
     else
       _ ->
diff --git a/apps/fz_http/lib/fz_http_web/channels/notification_channel.ex b/apps/fz_http/lib/fz_http_web/channels/notification_channel.ex
index b44affeda..88a46e9f6 100644
--- a/apps/fz_http/lib/fz_http_web/channels/notification_channel.ex
+++ b/apps/fz_http/lib/fz_http_web/channels/notification_channel.ex
@@ -6,25 +6,16 @@ defmodule FzHttpWeb.NotificationChannel do
   alias FzHttp.Users
   alias FzHttpWeb.Presence
 
-  @token_verify_opts [max_age: 86_400]
-
   @impl Phoenix.Channel
-  def join("notification:session", %{"user_agent" => user_agent, "token" => token}, socket) do
-    case Phoenix.Token.verify(socket, "channel auth", token, @token_verify_opts) do
-      {:ok, user_id} ->
-        socket =
-          socket
-          |> assign(:current_user, Users.get_user!(user_id))
-          |> assign(:user_agent, user_agent)
+  def join("notification:session", _attrs, socket) do
+    socket = FzHttpWeb.Sandbox.allow_channel_sql_sandbox(socket)
 
-        send(self(), :after_join)
-
-        {:ok,
-         socket
-         |> assign(:current_user, Users.get_user!(user_id))}
-
-      {:error, _} ->
-        {:error, %{reason: "unauthorized"}}
+    with {:ok, user} <- Users.fetch_user_by_id(socket.assigns.current_user_id) do
+      socket = assign(socket, :current_user, user)
+      send(self(), :after_join)
+      {:ok, socket}
+    else
+      _ -> {:error, %{reason: "unauthorized"}}
     end
   end
 
diff --git a/apps/fz_http/lib/fz_http_web/controller_helpers.ex b/apps/fz_http/lib/fz_http_web/controller_helpers.ex
index 4583ab967..348dd9778 100644
--- a/apps/fz_http/lib/fz_http_web/controller_helpers.ex
+++ b/apps/fz_http/lib/fz_http_web/controller_helpers.ex
@@ -6,6 +6,10 @@ defmodule FzHttpWeb.ControllerHelpers do
 
   alias FzHttp.Users.User
 
+  def root_path_for_user(nil) do
+    ~p"/"
+  end
+
   def root_path_for_user(%User{role: :admin}) do
     ~p"/users"
   end
diff --git a/apps/fz_http/lib/fz_http_web/controllers/auth_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/auth_controller.ex
index 8ba003a67..7902ebb6a 100644
--- a/apps/fz_http/lib/fz_http_web/controllers/auth_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/auth_controller.ex
@@ -3,17 +3,15 @@ defmodule FzHttpWeb.AuthController do
   Implements the CRUD for a Session
   """
   use FzHttpWeb, :controller
-  require Logger
-
-  @local_auth_providers [:identity, :magic_link]
-
   alias FzHttp.Users
+  alias FzHttp.Configurations
   alias FzHttpWeb.Auth.HTML.Authentication
   alias FzHttpWeb.OAuth.PKCE
   alias FzHttpWeb.OIDC.State
   alias FzHttpWeb.UserFromAuth
+  require Logger
 
-  import FzHttpWeb.OIDC.Helpers
+  @local_auth_providers [:identity, :magic_link]
 
   # Uncomment when Helpers.callback_url/1 is fixed
   # alias Ueberauth.Strategy.Helpers
@@ -40,6 +38,14 @@ defmodule FzHttpWeb.AuthController do
       {:ok, user} ->
         maybe_sign_in(conn, user, auth)
 
+      {:error, reason} when reason in [:not_found, :invalid_credentials] ->
+        conn
+        |> put_flash(
+          :error,
+          "Error signing in: user credentials are invalid or user does not exist"
+        )
+        |> request(%{})
+
       {:error, reason} ->
         conn
         |> put_flash(:error, "Error signing in: #{reason}")
@@ -62,8 +68,9 @@ defmodule FzHttpWeb.AuthController do
     token_params = Map.merge(params, PKCE.token_params(conn))
 
     with :ok <- State.verify_state(conn, state),
-         {:ok, tokens} <- openid_connect().fetch_tokens(provider_id, token_params),
-         {:ok, claims} <- openid_connect().verify(provider_id, tokens["id_token"]) do
+         {:ok, config} <- Configurations.fetch_oidc_provider_config(provider_id),
+         {:ok, tokens} <- OpenIDConnect.fetch_tokens(config, token_params),
+         {:ok, claims} <- OpenIDConnect.verify(config, tokens["id_token"]) do
       case UserFromAuth.find_or_create(provider_id, claims) do
         {:ok, user} ->
           # only first-time connect will include refresh token
@@ -117,25 +124,28 @@ defmodule FzHttpWeb.AuthController do
   end
 
   def magic_link(conn, %{"email" => email}) do
-    case Users.reset_sign_in_token(email) do
-      :ok ->
-        conn
-        |> put_flash(:info, "Please check your inbox for the magic link.")
-        |> redirect(to: ~p"/")
+    with {:ok, user} <- Users.fetch_user_by_email(email),
+         {:ok, user} <- Users.request_sign_in_token(user) do
+      FzHttpWeb.Mailer.AuthEmail.magic_link(user)
+      |> FzHttpWeb.Mailer.deliver!()
 
-      :error ->
+      conn
+      |> put_flash(:info, "Please check your inbox for the magic link.")
+      |> redirect(to: ~p"/")
+    else
+      {:error, :not_found} ->
         conn
         |> put_flash(:warning, "Failed to send magic link email.")
         |> redirect(to: ~p"/auth/reset_password")
     end
   end
 
-  def magic_sign_in(conn, %{"token" => token}) do
-    case Users.consume_sign_in_token(token) do
-      {:ok, user} ->
-        maybe_sign_in(conn, user, %{provider: :magic_link})
-
-      {:error, _} ->
+  def magic_sign_in(conn, %{"user_id" => user_id, "token" => token}) do
+    with {:ok, user} <- Users.fetch_user_by_id(user_id),
+         {:ok, _user} <- Users.consume_sign_in_token(user, token) do
+      maybe_sign_in(conn, user, %{provider: :magic_link})
+    else
+      {:error, _reason} ->
         conn
         |> put_flash(:error, "The magic link is not valid or has expired.")
         |> redirect(to: ~p"/")
@@ -152,12 +162,23 @@ defmodule FzHttpWeb.AuthController do
       code_challenge: PKCE.code_challenge(verifier)
     }
 
-    uri = openid_connect().authorization_uri(provider_id, params)
+    with {:ok, config} <- Configurations.fetch_oidc_provider_config(provider_id),
+         {:ok, uri} <- OpenIDConnect.authorization_uri(config, params) do
+      conn
+      |> PKCE.put_cookie(verifier)
+      |> State.put_cookie(params.state)
+      |> redirect(external: uri)
+    else
+      {:error, :not_found} ->
+        {:error, :not_found}
 
-    conn
-    |> PKCE.put_cookie(verifier)
-    |> State.put_cookie(params.state)
-    |> redirect(external: uri)
+      {:error, reason} ->
+        Logger.error("Can not redirect user to OIDC auth uri", reason: inspect(reason))
+
+        conn
+        |> put_flash(:error, "Error while processing OpenID request.")
+        |> redirect(to: ~p"/")
+    end
   end
 
   defp maybe_sign_in(conn, user, %{provider: provider_key} = auth)
diff --git a/apps/fz_http/lib/fz_http_web/controllers/json/user_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/json/user_controller.ex
index 674a3a877..bc96f93f4 100644
--- a/apps/fz_http/lib/fz_http_web/controllers/json/user_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/json/user_controller.ex
@@ -14,7 +14,6 @@ defmodule FzHttpWeb.JSON.UserController do
   """
   use FzHttpWeb, :controller
   alias FzHttp.Users
-  alias FzHttp.Users.User
 
   action_fallback(FzHttpWeb.JSON.FallbackController)
 
@@ -50,7 +49,7 @@ defmodule FzHttpWeb.JSON.UserController do
   """
   @doc api_doc: [action: "Create a User"]
   def create(conn, %{"user" => %{"role" => "admin"} = user_params}) do
-    with {:ok, %User{} = user} <- Users.create_admin_user(user_params) do
+    with {:ok, %Users.User{} = user} <- Users.create_admin_user(user_params) do
       conn
       |> put_status(:created)
       |> put_resp_header("location", ~p"/v0/users/#{user}")
@@ -59,7 +58,7 @@ defmodule FzHttpWeb.JSON.UserController do
   end
 
   def create(conn, %{"user" => user_params}) do
-    with {:ok, %User{} = user} <- Users.create_unprivileged_user(user_params) do
+    with {:ok, %Users.User{} = user} <- Users.create_unprivileged_user(user_params) do
       conn
       |> put_status(:created)
       |> put_resp_header("location", ~p"/v0/users/#{user}")
@@ -69,8 +68,9 @@ defmodule FzHttpWeb.JSON.UserController do
 
   @doc api_doc: [summary: "Get User by ID or Email"]
   def show(conn, %{"id" => id_or_email}) do
-    user = get_user_by_id_or_email(id_or_email)
-    render(conn, "show.json", user: user)
+    with {:ok, %Users.User{} = user} <- Users.fetch_user_by_id_or_email(id_or_email) do
+      render(conn, "show.json", user: user)
+    end
   end
 
   @doc """
@@ -78,27 +78,19 @@ defmodule FzHttpWeb.JSON.UserController do
   """
   @doc api_doc: [action: "Update a User"]
   def update(conn, %{"id" => id_or_email, "user" => user_params}) do
-    user = get_user_by_id_or_email(id_or_email)
-
-    with {:ok, %User{} = user} <- Users.admin_update_user(user, user_params) do
+    with {:ok, %Users.User{} = user} <- Users.fetch_user_by_id_or_email(id_or_email),
+         {:ok, %Users.User{} = user} <- Users.admin_update_user(user, user_params) do
       render(conn, "show.json", user: user)
     end
   end
 
   @doc api_doc: [summary: "Delete a User"]
   def delete(conn, %{"id" => id_or_email}) do
-    user = get_user_by_id_or_email(id_or_email)
-
-    with {:ok, %User{}} <- Users.delete_user(user) do
-      send_resp(conn, :no_content, "")
-    end
-  end
-
-  defp get_user_by_id_or_email(id_or_email) do
-    if String.contains?(id_or_email, "@") do
-      Users.get_by_email!(id_or_email)
-    else
-      Users.get_user!(id_or_email)
+    with {:ok, %Users.User{} = user} <- Users.fetch_user_by_id_or_email(id_or_email),
+         {:ok, %Users.User{}} <- Users.delete_user(user) do
+      conn
+      |> put_resp_content_type("application/json")
+      |> send_resp(:no_content, "")
     end
   end
 end
diff --git a/apps/fz_http/lib/fz_http_web/controllers/user_controller.ex b/apps/fz_http/lib/fz_http_web/controllers/user_controller.ex
index 30c20283a..0efe348c5 100644
--- a/apps/fz_http/lib/fz_http_web/controllers/user_controller.ex
+++ b/apps/fz_http/lib/fz_http_web/controllers/user_controller.ex
@@ -13,7 +13,7 @@ defmodule FzHttpWeb.UserController do
     user = Authentication.get_current_user(conn)
 
     with %{role: :admin} <- user do
-      unless length(Users.list_admins()) > 1 do
+      unless Users.count_by_role(:admin) > 1 do
         raise "Cannot delete one last admin"
       end
     end
diff --git a/apps/fz_http/lib/fz_http_web/endpoint.ex b/apps/fz_http/lib/fz_http_web/endpoint.ex
index 38e7d02ed..4ac85878e 100644
--- a/apps/fz_http/lib/fz_http_web/endpoint.ex
+++ b/apps/fz_http/lib/fz_http_web/endpoint.ex
@@ -12,7 +12,7 @@ defmodule FzHttpWeb.Endpoint do
 
   socket "/socket", FzHttpWeb.UserSocket,
     websocket: [
-      connect_info: [:peer_data, :x_headers, :uri],
+      connect_info: [:user_agent, :peer_data, :x_headers, :uri],
       # XXX: channel token should prevent CSWH but double check
       check_origin: false
     ],
@@ -21,6 +21,7 @@ defmodule FzHttpWeb.Endpoint do
   socket "/live", Phoenix.LiveView.Socket,
     websocket: [
       connect_info: [
+        :user_agent,
         :peer_data,
         :x_headers,
         :uri,
diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/admin/show_live.ex b/apps/fz_http/lib/fz_http_web/live/device_live/admin/show_live.ex
index b35dcbebe..133208e4e 100644
--- a/apps/fz_http/lib/fz_http_web/live/device_live/admin/show_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/device_live/admin/show_live.ex
@@ -46,7 +46,7 @@ defmodule FzHttpWeb.DeviceLive.Admin.Show do
   defp assigns(device) do
     [
       device: device,
-      user: Users.get_user!(device.user_id),
+      user: Users.fetch_user_by_id!(device.user_id),
       page_title: device.name,
       allowed_ips: Devices.allowed_ips(device),
       dns: Devices.dns(device),
diff --git a/apps/fz_http/lib/fz_http_web/live/device_live/unprivileged/show_live.ex b/apps/fz_http/lib/fz_http_web/live/device_live/unprivileged/show_live.ex
index 7ad6ffb3e..ca01cadf1 100644
--- a/apps/fz_http/lib/fz_http_web/live/device_live/unprivileged/show_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/device_live/unprivileged/show_live.ex
@@ -53,7 +53,7 @@ defmodule FzHttpWeb.DeviceLive.Unprivileged.Show do
   defp assigns(device) do
     [
       device: device,
-      user: Users.get_user!(device.user_id),
+      user: Users.fetch_user_by_id!(device.user_id),
       page_title: device.name,
       allowed_ips: Devices.allowed_ips(device),
       port: FzHttp.Config.fetch_env!(:fz_vpn, :wireguard_port),
diff --git a/apps/fz_http/lib/fz_http_web/live/hooks/allow_ecto_sandbox.ex b/apps/fz_http/lib/fz_http_web/live/hooks/allow_ecto_sandbox.ex
new file mode 100644
index 000000000..6272d0a1d
--- /dev/null
+++ b/apps/fz_http/lib/fz_http_web/live/hooks/allow_ecto_sandbox.ex
@@ -0,0 +1,6 @@
+defmodule FzHttpWeb.Hooks.AllowEctoSandbox do
+  def on_mount(:default, _params, _session, socket) do
+    socket = FzHttpWeb.Sandbox.allow_live_ecto_sandbox(socket)
+    {:cont, socket}
+  end
+end
diff --git a/apps/fz_http/lib/fz_http_web/live/mfa_live/register_steps_component.ex b/apps/fz_http/lib/fz_http_web/live/mfa_live/register_steps_component.ex
index 1951a32a0..3783b7173 100644
--- a/apps/fz_http/lib/fz_http_web/live/mfa_live/register_steps_component.ex
+++ b/apps/fz_http/lib/fz_http_web/live/mfa_live/register_steps_component.ex
@@ -19,7 +19,8 @@ defmodule FzHttpWeb.MFA.RegisterStepsComponent do
       <div class="control">
         <div>
           <label class="radio">
-            <input type="radio" name="type" value="totp" checked /> Time-Based One-Time Password
+            <input type="radio" name="type" value="totp" id="mfa-method-totp" checked />
+            Time-Based One-Time Password
           </label>
         </div>
         <!-- Coming Soon
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/account.html.heex b/apps/fz_http/lib/fz_http_web/live/setting_live/account.html.heex
index 9905a8be9..adc40bdd0 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/account.html.heex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/account.html.heex
@@ -255,7 +255,7 @@
   </h4>
 
   <%= form_for @changeset, ~p"/sign_out", [id: "delete-account", method: :delete], fn _f -> %>
-    <%= submit(class: "button is-danger", data: [confirm: "Are you sure?"], disabled: !@allow_delete) do %>
+    <%= submit(class: "button is-danger", data: if(@allow_delete, do: [confirm: "Are you sure?"], else: []), disabled: !@allow_delete) do %>
       <span class="icon is-small">
         <i class="fas fa-trash"></i>
       </span>
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.ex b/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.ex
index 03461fb78..91ec908d6 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.ex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.ex
@@ -18,7 +18,7 @@ defmodule FzHttpWeb.SettingLive.AccountFormComponent do
   def handle_event("save", %{"user" => user_params}, socket) do
     user = socket.assigns.user
 
-    case Users.admin_update_self(user, user_params) do
+    case Users.admin_update_user(user, user_params) do
       {:ok, _user} ->
         {:noreply,
          socket
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.html.heex b/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.html.heex
index 65a878175..9c0eca424 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.html.heex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/account_form_component.html.heex
@@ -39,20 +39,5 @@
       autocomplete: "new-password",
       label: "Password Confirmation"
     ) %>
-
-    <hr />
-
-    <div class="block">
-      <p>Enter your current password to make these changes.</p>
-    </div>
-
-    <div class="field">
-      <%= label(f, :current_password, class: "label") %>
-      <%= password_input(f, :current_password, class: "input password") %>
-
-      <p class="help is-danger">
-        <%= error_tag(f, :current_password) %>
-      </p>
-    </div>
   </.form>
 </div>
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/account_live.ex b/apps/fz_http/lib/fz_http_web/live/setting_live/account_live.ex
index 0df82ed13..e4c0e4eb9 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/account_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/account_live.ex
@@ -27,7 +27,7 @@ defmodule FzHttpWeb.SettingLive.Account do
      socket
      |> assign(:api_token_id, params["api_token_id"])
      |> assign(:subscribe_link, subscribe_link())
-     |> assign(:allow_delete, length(Users.list_admins()) > 1)
+     |> assign(:allow_delete, Users.count_by_role(:admin) > 1)
      |> assign(:api_tokens, ApiTokens.list_api_tokens(socket.assigns.current_user.id))
      |> assign(:changeset, Users.change_user(socket.assigns.current_user))
      |> assign(:methods, MFA.list_methods(socket.assigns.current_user))
@@ -51,7 +51,7 @@ defmodule FzHttpWeb.SettingLive.Account do
   def handle_params(_params, _url, socket) do
     {:noreply,
      socket
-     |> assign(:allow_delete, length(Users.list_admins()) > 1)
+     |> assign(:allow_delete, Users.count_by_role(:admin) > 1)
      |> assign(:api_tokens, ApiTokens.list_api_tokens(socket.assigns.current_user.id))}
   end
 
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/security.html.heex b/apps/fz_http/lib/fz_http_web/live/setting_live/security.html.heex
index c68a6ed78..d893cce82 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/security.html.heex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/security.html.heex
@@ -77,6 +77,7 @@
           <input
             type="checkbox"
             phx-click="toggle"
+            name="local_auth_enabled"
             phx-value-config="local_auth_enabled"
             checked={FzHttp.Configurations.get!(:local_auth_enabled)}
             value={if(!FzHttp.Configurations.get!(:local_auth_enabled), do: "on")}
@@ -99,6 +100,7 @@
           <input
             type="checkbox"
             phx-click="toggle"
+            name="allow_unprivileged_device_management"
             phx-value-config="allow_unprivileged_device_management"
             checked={FzHttp.Configurations.get!(:allow_unprivileged_device_management)}
             value={
@@ -125,6 +127,7 @@
           <input
             type="checkbox"
             phx-click="toggle"
+            name="allow_unprivileged_device_configuration"
             phx-value-config="allow_unprivileged_device_configuration"
             checked={FzHttp.Configurations.get!(:allow_unprivileged_device_configuration)}
             value={
@@ -159,6 +162,7 @@
           <input
             type="checkbox"
             phx-click="toggle"
+            name="disable_vpn_on_oidc_error"
             phx-value-config="disable_vpn_on_oidc_error"
             checked={FzHttp.Configurations.get!(:disable_vpn_on_oidc_error)}
             value={if(!FzHttp.Configurations.get!(:disable_vpn_on_oidc_error), do: "on")}
diff --git a/apps/fz_http/lib/fz_http_web/live/setting_live/show_api_token_component.ex b/apps/fz_http/lib/fz_http_web/live/setting_live/show_api_token_component.ex
index 860ad0828..a01e9f8f9 100644
--- a/apps/fz_http/lib/fz_http_web/live/setting_live/show_api_token_component.ex
+++ b/apps/fz_http/lib/fz_http_web/live/setting_live/show_api_token_component.ex
@@ -46,7 +46,7 @@ defmodule FzHttpWeb.SettingLive.ShowApiTokenComponent do
         <hr />
         <div class="block">
           <h6 class="title is-6">cURL example:</h6>
-          <pre><code><i># List all users</i>
+          <pre><code id="api-usage-example"><i># List all users</i>
     curl -H 'Content-Type: application/json' \
          -H 'Authorization: Bearer <%= @secret %>' \
          <%= Application.fetch_env!(:fz_http, :external_url) %>/v0/users</code></pre>
diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/form_component.ex b/apps/fz_http/lib/fz_http_web/live/user_live/form_component.ex
index 256493ba8..e0fd2c339 100644
--- a/apps/fz_http/lib/fz_http_web/live/user_live/form_component.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/form_component.ex
@@ -8,7 +8,7 @@ defmodule FzHttpWeb.UserLive.FormComponent do
 
   @impl Phoenix.LiveComponent
   def update(%{action: :new} = assigns, socket) do
-    changeset = Users.new_user()
+    changeset = Users.change_user()
 
     {:ok,
      socket
diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/form_component.html.heex b/apps/fz_http/lib/fz_http_web/live/user_live/form_component.html.heex
index eef78ef44..5cd1b4384 100644
--- a/apps/fz_http/lib/fz_http_web/live/user_live/form_component.html.heex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/form_component.html.heex
@@ -17,10 +17,7 @@
       <%= label(f, :email, class: "label") %>
 
       <div class="control">
-        <%= text_input(f, :email,
-          class: "input #{input_error_class(f, :email)}",
-          disabled: @user && @user.id == @current_user.id
-        ) %>
+        <%= text_input(f, :email, class: "input #{input_error_class(f, :email)}") %>
       </div>
       <p class="help is-danger">
         <%= error_tag(f, :email) %>
diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex b/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex
index a27da6af2..1ac008f55 100644
--- a/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/index_live.ex
@@ -12,8 +12,8 @@ defmodule FzHttpWeb.UserLive.Index do
   def mount(_params, _session, socket) do
     {:ok,
      socket
-     |> assign(:users, Users.list_users(:with_device_counts))
-     |> assign(:changeset, Users.new_user())
+     |> assign(:users, Users.list_users(hydrate: [:device_count]))
+     |> assign(:changeset, Users.change_user())
      |> assign(:page_title, @page_title)}
   end
 
diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex b/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex
index ed7f44d12..dcf817c3a 100644
--- a/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/show_live.ex
@@ -11,7 +11,7 @@ defmodule FzHttpWeb.UserLive.Show do
   @impl Phoenix.LiveView
 
   def mount(%{"id" => user_id} = _params, _session, socket) do
-    user = Users.get_user!(user_id)
+    user = Users.fetch_user_by_id!(user_id)
     devices = Devices.list_devices(user)
     connections = OIDC.list_connections(user)
 
@@ -30,7 +30,7 @@ defmodule FzHttpWeb.UserLive.Show do
   """
   @impl Phoenix.LiveView
   def handle_params(%{"id" => user_id} = _params, _url, socket) do
-    user = Users.get_user!(user_id)
+    user = Users.fetch_user_by_id!(user_id)
     devices = Devices.list_devices(user.id)
 
     {:noreply,
@@ -45,7 +45,7 @@ defmodule FzHttpWeb.UserLive.Show do
        socket
        |> put_flash(:error, "Use the account section to delete your account.")}
     else
-      user = Users.get_user!(user_id)
+      user = Users.fetch_user_by_id!(user_id)
 
       case Users.delete_user(user) do
         {:ok, _} ->
@@ -74,7 +74,7 @@ defmodule FzHttpWeb.UserLive.Show do
        socket
        |> put_flash(:error, "Changing your own role is not supported.")}
     else
-      user = Users.get_user!(user_id)
+      user = Users.fetch_user_by_id!(user_id)
 
       role =
         case action do
diff --git a/apps/fz_http/lib/fz_http_web/live/user_live/vpn_connection_component.ex b/apps/fz_http/lib/fz_http_web/live/user_live/vpn_connection_component.ex
index f071a96f0..a18ca91ab 100644
--- a/apps/fz_http/lib/fz_http_web/live/user_live/vpn_connection_component.ex
+++ b/apps/fz_http/lib/fz_http_web/live/user_live/vpn_connection_component.ex
@@ -14,6 +14,7 @@ defmodule FzHttpWeb.UserLive.VPNConnectionComponent do
       <input
         type="checkbox"
         phx-target={@myself}
+        name="toggle_disabled_at"
         phx-click="toggle_disabled_at"
         data-confirm="Are you sure? This may affect this user's internet connectivity."
         disabled={assigns[:disabled]}
diff --git a/apps/fz_http/lib/fz_http_web/live_helpers.ex b/apps/fz_http/lib/fz_http_web/live_helpers.ex
index 4a9e7148c..39e7d3483 100644
--- a/apps/fz_http/lib/fz_http_web/live_helpers.ex
+++ b/apps/fz_http/lib/fz_http_web/live_helpers.ex
@@ -44,11 +44,11 @@ defmodule FzHttpWeb.LiveHelpers do
   end
 
   def vpn_expires_at(user) do
-    Users.vpn_session_expires_at(user, Configurations.vpn_duration())
+    Users.vpn_session_expires_at(user)
   end
 
   def vpn_expired?(user) do
-    Users.vpn_session_expired?(user, Configurations.vpn_duration())
+    Users.vpn_session_expired?(user)
   end
 
   defp status_digit(response_code) when is_integer(response_code) do
diff --git a/apps/fz_http/lib/fz_http_web/mailer/auth_email.ex b/apps/fz_http/lib/fz_http_web/mailer/auth_email.ex
index 4ebfbfb17..6ee19f927 100644
--- a/apps/fz_http/lib/fz_http_web/mailer/auth_email.ex
+++ b/apps/fz_http/lib/fz_http_web/mailer/auth_email.ex
@@ -15,7 +15,7 @@ defmodule FzHttpWeb.Mailer.AuthEmail do
     |> subject("Firezone Magic Link")
     |> to(user.email)
     |> render_body(:magic_link,
-      link: url(~p"/auth/magic/#{user.sign_in_token}")
+      link: url(~p"/auth/magic/#{user.id}/#{user.sign_in_token}")
     )
   end
 end
diff --git a/apps/fz_http/lib/fz_http_web/oidc/helpers.ex b/apps/fz_http/lib/fz_http_web/oidc/helpers.ex
deleted file mode 100644
index b79177aeb..000000000
--- a/apps/fz_http/lib/fz_http_web/oidc/helpers.ex
+++ /dev/null
@@ -1,9 +0,0 @@
-defmodule FzHttpWeb.OIDC.Helpers do
-  @moduledoc """
-  Just some, ya know, helpers for OIDC flows.
-  """
-
-  def openid_connect do
-    FzHttp.Config.fetch_env!(:fz_http, :openid_connect)
-  end
-end
diff --git a/apps/fz_http/lib/fz_http_web/channels/presence.ex b/apps/fz_http/lib/fz_http_web/presence.ex
similarity index 100%
rename from apps/fz_http/lib/fz_http_web/channels/presence.ex
rename to apps/fz_http/lib/fz_http_web/presence.ex
diff --git a/apps/fz_http/lib/fz_http_web/router.ex b/apps/fz_http/lib/fz_http_web/router.ex
index 5b2f36e7d..c25b52b97 100644
--- a/apps/fz_http/lib/fz_http_web/router.ex
+++ b/apps/fz_http/lib/fz_http_web/router.ex
@@ -59,7 +59,7 @@ defmodule FzHttpWeb.Router do
 
     get "/reset_password", AuthController, :reset_password
     post "/magic_link", AuthController, :magic_link
-    get "/magic/:token", AuthController, :magic_sign_in
+    get "/magic/:user_id/:token", AuthController, :magic_sign_in
 
     get "/:provider", AuthController, :request
     get "/:provider/callback", AuthController, :callback
@@ -93,7 +93,11 @@ defmodule FzHttpWeb.Router do
 
     live_session(
       :authenticated,
-      on_mount: [{FzHttpWeb.LiveAuth, :any}, {FzHttpWeb.LiveNav, nil}],
+      on_mount: [
+        FzHttpWeb.Hooks.AllowEctoSandbox,
+        {FzHttpWeb.LiveAuth, :any},
+        {FzHttpWeb.LiveNav, nil}
+      ],
       root_layout: {FzHttpWeb.LayoutView, :root}
     ) do
       live "/auth", MFALive.Auth, :auth
@@ -125,7 +129,12 @@ defmodule FzHttpWeb.Router do
     # Unprivileged Live routes
     live_session(
       :unprivileged,
-      on_mount: [{FzHttpWeb.LiveAuth, :unprivileged}, {FzHttpWeb.LiveNav, nil}, FzHttpWeb.LiveMFA],
+      on_mount: [
+        FzHttpWeb.Hooks.AllowEctoSandbox,
+        {FzHttpWeb.LiveAuth, :unprivileged},
+        {FzHttpWeb.LiveNav, nil},
+        FzHttpWeb.LiveMFA
+      ],
       root_layout: {FzHttpWeb.LayoutView, :unprivileged}
     ) do
       live "/user_devices", DeviceLive.Unprivileged.Index, :index
@@ -153,7 +162,12 @@ defmodule FzHttpWeb.Router do
     # Admin Live routes
     live_session(
       :admin,
-      on_mount: [{FzHttpWeb.LiveAuth, :admin}, FzHttpWeb.LiveNav, FzHttpWeb.LiveMFA],
+      on_mount: [
+        FzHttpWeb.Hooks.AllowEctoSandbox,
+        {FzHttpWeb.LiveAuth, :admin},
+        FzHttpWeb.LiveNav,
+        FzHttpWeb.LiveMFA
+      ],
       root_layout: {FzHttpWeb.LayoutView, :admin}
     ) do
       live "/users", UserLive.Index, :index
diff --git a/apps/fz_http/lib/fz_http_web/sandbox.ex b/apps/fz_http/lib/fz_http_web/sandbox.ex
new file mode 100644
index 000000000..0f9be1747
--- /dev/null
+++ b/apps/fz_http/lib/fz_http_web/sandbox.ex
@@ -0,0 +1,41 @@
+defmodule FzHttpWeb.Sandbox do
+  @moduledoc """
+  A set of helpers that allow Phoenix components (Channels and LiveView) to access SQL sandbox in test environment.
+  """
+
+  def allow_channel_sql_sandbox(socket) do
+    if Map.has_key?(socket.assigns, :user_agent) do
+      allow(socket.assigns.user_agent)
+    end
+
+    socket
+  end
+
+  def allow_live_ecto_sandbox(socket) do
+    if Phoenix.LiveView.connected?(socket) do
+      socket
+      |> Phoenix.LiveView.get_connect_info(:user_agent)
+      |> allow()
+    end
+
+    socket
+  end
+
+  if Mix.env() in [:test, :dev] do
+    defp allow(metadata) do
+      # We notify the test process that there is someone trying to access the sandbox,
+      # so that it can optionally await after test has passed for the sandbox to be
+      # closed gracefully
+      case Phoenix.Ecto.SQL.Sandbox.decode_metadata(metadata) do
+        %{owner: owner_pid} -> send(owner_pid, {:sandbox_access, self()})
+        _ -> :ok
+      end
+
+      Phoenix.Ecto.SQL.Sandbox.allow(metadata, Ecto.Adapters.SQL.Sandbox)
+    end
+  else
+    defp allow(_metadata) do
+      :ok
+    end
+  end
+end
diff --git a/apps/fz_http/lib/fz_http_web/channels/user_socket.ex b/apps/fz_http/lib/fz_http_web/sockets/user_socket.ex
similarity index 91%
rename from apps/fz_http/lib/fz_http_web/channels/user_socket.ex
rename to apps/fz_http/lib/fz_http_web/sockets/user_socket.ex
index 81233fc47..d7d75a28f 100644
--- a/apps/fz_http/lib/fz_http_web/channels/user_socket.ex
+++ b/apps/fz_http/lib/fz_http_web/sockets/user_socket.ex
@@ -1,7 +1,5 @@
 defmodule FzHttpWeb.UserSocket do
   use Phoenix.Socket
-
-  alias FzHttp.Users
   alias FzHttpWeb.HeaderHelpers
 
   @blank_ip_warning """
@@ -31,6 +29,8 @@ defmodule FzHttpWeb.UserSocket do
   # See `Phoenix.Token` documentation for examples in
   # performing token verification on connect.
   def connect(%{"token" => token}, socket, connect_info) do
+    socket = assign(socket, :user_agent, connect_info[:user_agent])
+
     parse_ip(connect_info)
     |> verify_token_and_assign_remote_ip(token, socket)
   end
@@ -50,16 +50,28 @@ defmodule FzHttpWeb.UserSocket do
   defp verify_token_and_assign_remote_ip(ip, token, socket) do
     case Phoenix.Token.verify(socket, "user auth", token, @token_verify_opts) do
       {:ok, user_id} ->
-        {:ok,
-         socket
-         |> assign(:current_user, Users.get_user!(user_id))
-         |> assign(:remote_ip, ip)}
+        socket =
+          socket
+          |> assign(:current_user_id, user_id)
+          |> assign(:remote_ip, ip)
+
+        {:ok, socket}
 
       {:error, reason} ->
         {:error, reason}
     end
   end
 
+  # No proxy
+  defp get_ip_address(%{peer_data: %{address: address}, x_headers: []}) do
+    address
+  end
+
+  # Proxied
+  defp get_ip_address(%{x_headers: x_headers}) do
+    RemoteIp.from(x_headers, HeaderHelpers.remote_ip_opts())
+  end
+
   # Socket id's are topics that allow you to identify all sockets for a given user:
   #
   #     def id(socket), do: "user_socket:#{socket.assigns.user_id}"
@@ -71,15 +83,5 @@ defmodule FzHttpWeb.UserSocket do
   #
   # Returning `nil` makes this socket anonymous.
   # def id(_socket), do: nil
-  def id(socket), do: "user_socket:#{socket.assigns.current_user.id}"
-
-  # No proxy
-  defp get_ip_address(%{peer_data: %{address: address}, x_headers: []}) do
-    address
-  end
-
-  # Proxied
-  defp get_ip_address(%{x_headers: x_headers}) do
-    RemoteIp.from(x_headers, HeaderHelpers.remote_ip_opts())
-  end
+  def id(socket), do: "user_socket:#{socket.assigns.current_user_id}"
 end
diff --git a/apps/fz_http/lib/fz_http_web/user_from_auth.ex b/apps/fz_http/lib/fz_http_web/user_from_auth.ex
index 9f43ffec8..258719b57 100644
--- a/apps/fz_http/lib/fz_http_web/user_from_auth.ex
+++ b/apps/fz_http/lib/fz_http_web/user_from_auth.ex
@@ -13,22 +13,26 @@ defmodule FzHttpWeb.UserFromAuth do
           credentials: %Ueberauth.Auth.Credentials{other: %{password: password}}
         } = _auth
       ) do
-    Users.get_by_email(email) |> Authentication.authenticate(password)
+    with {:ok, user} <- Users.fetch_user_by_email(email) do
+      Authentication.authenticate(user, password)
+    end
   end
 
   # SAML
   def find_or_create(:saml, provider_id, %{"email" => email}) do
-    case Users.get_by_email(email) do
-      nil -> maybe_create_user(:saml_identity_providers, provider_id, email)
-      user -> {:ok, user}
+    with {:ok, user} <- Users.fetch_user_by_email(email) do
+      {:ok, user}
+    else
+      {:error, :not_found} -> maybe_create_user(:saml_identity_providers, provider_id, email)
     end
   end
 
   # OIDC
   def find_or_create(provider_id, %{"email" => email, "sub" => _sub}) do
-    case Users.get_by_email(email) do
-      nil -> maybe_create_user(:openid_connect_providers, provider_id, email)
-      user -> {:ok, user}
+    with {:ok, user} <- Users.fetch_user_by_email(email) do
+      {:ok, user}
+    else
+      {:error, :not_found} -> maybe_create_user(:openid_connect_providers, provider_id, email)
     end
   end
 
diff --git a/apps/fz_http/lib/fz_http_web/views/error_view.ex b/apps/fz_http/lib/fz_http_web/views/error_view.ex
index e6a547ff8..0c82e0574 100644
--- a/apps/fz_http/lib/fz_http_web/views/error_view.ex
+++ b/apps/fz_http/lib/fz_http_web/views/error_view.ex
@@ -7,6 +7,10 @@ defmodule FzHttpWeb.ErrorView do
   #   "Internal Server Error"
   # end
 
+  def render("404.json", _assigns) do
+    %{"error" => "not_found"}
+  end
+
   # By default, Phoenix returns the status message from
   # the template name. For example, "404.html" becomes
   # "Not Found".
diff --git a/apps/fz_http/mix.exs b/apps/fz_http/mix.exs
index 4c4c8826c..5ce11cc00 100644
--- a/apps/fz_http/mix.exs
+++ b/apps/fz_http/mix.exs
@@ -1,11 +1,6 @@
 defmodule FzHttp.MixProject do
   use Mix.Project
 
-  def version do
-    # Use dummy version for dev and test
-    System.get_env("VERSION", "0.0.0+git.0.deadbeef")
-  end
-
   def project do
     [
       app: :fz_http,
@@ -30,16 +25,17 @@ defmodule FzHttp.MixProject do
     ]
   end
 
-  # Configuration for the OTP application.
-  #
-  # Type `mix help compile.app` for more information.
+  def version do
+    # Use dummy version for dev and test
+    System.get_env("VERSION", "0.0.0+git.0.deadbeef")
+  end
+
   def application do
     [
       mod: {FzHttp.Application, []},
       extra_applications: [
         :logger,
-        :runtime_tools,
-        :ueberauth_identity
+        :runtime_tools
       ],
       registered: [:fz_http_server]
     ]
@@ -49,63 +45,63 @@ defmodule FzHttp.MixProject do
   defp elixirc_paths(:test), do: ["lib", "test/support"]
   defp elixirc_paths(_), do: ["lib"]
 
-  # Specifies your project dependencies.
-  #
-  # Type `mix help deps` for examples and options.
   defp deps do
     [
+      # Umbrella deps
       {:fz_common, in_umbrella: true},
-      {:bypass, "~> 2.1", only: :test},
+
+      # Phoenix/Plug deps
+      {:plug, "~> 1.13"},
+      {:plug_cowboy, "~> 2.5"},
+      {:phoenix, "~> 1.7.0-rc.1", override: true},
+      {:phoenix_ecto, "~> 4.4"},
+      {:phoenix_html, "~> 3.2"},
+      {:phoenix_pubsub, "~> 2.0"},
+      {:phoenix_live_view, "~> 0.18.3"},
+      {:phoenix_live_dashboard, "~> 0.7.2"},
+      {:phoenix_live_reload, "~> 1.3", only: :dev},
+      {:phoenix_swoosh, "~> 1.0"},
+      {:gettext, "~> 0.18"},
+
+      # Ecto-related deps
+      {:postgrex, "~> 0.16"},
       {:decimal, "~> 2.0"},
+      {:ecto_sql, "~> 3.7"},
+      {:ecto_network,
+       github: "firezone/ecto_network", ref: "7dfe65bcb6506fb0ed6050871b433f3f8b1c10cb"},
       {:cloak, "~> 1.1"},
       {:cloak_ecto, "~> 1.2"},
-      {:excoveralls, "~> 0.14", only: :test},
-      {:floki, ">= 0.0.0", only: :test},
-      {:mox, "~> 1.0.1", only: :test},
+
+      # Auth-related deps
       {:guardian, "~> 2.0"},
       {:guardian_db, "~> 2.0"},
+      {:openid_connect, github: "firezone/openid_connect", branch: "andrew/rewrite"},
       # XXX: All github deps should use ref instead of always updating from master branch
-      {:openid_connect, github: "firezone/openid_connect"},
       {:esaml, github: "firezone/esaml", override: true},
       {:samly, github: "firezone/samly"},
       {:ueberauth, "~> 0.7"},
       {:ueberauth_identity, "~> 0.4"},
-      {:httpoison, "~> 1.8"},
       {:argon2_elixir, "~> 2.0"},
-      {:phoenix_pubsub, "~> 2.0"},
-      {:phoenix_ecto, "~> 4.4"},
-      {:ecto_sql, "~> 3.7"},
-      {:ecto_network,
-       github: "firezone/ecto_network", ref: "7dfe65bcb6506fb0ed6050871b433f3f8b1c10cb"},
-      {:inflex, "~> 2.1"},
-      {:plug, "~> 1.13"},
-      {:postgrex, "~> 0.16"},
-      {:phoenix_html, "~> 3.2"},
-      {:phoenix_live_view, "~> 0.18.3"},
-      {:phoenix, "~> 1.7.0-rc.0", override: true},
-      {:phoenix_live_dashboard, "~> 0.7.2"},
-      {:phoenix_live_reload, "~> 1.3", only: :dev},
-      {:gettext, "~> 0.18"},
-      {:jason, "~> 1.2"},
-      {:phoenix_swoosh, "~> 1.0"},
-      {:gen_smtp, "~> 1.0"},
       {:nimble_totp, "~> 0.2"},
+
+      # Other deps
+      {:remote_ip, "~> 1.0"},
+      # XXX: Drop it, it's not maintained anymore
+      {:httpoison, "~> 1.8"},
       # XXX: Change this when hex package is updated
       {:cidr, github: "firezone/cidr-elixir"},
       {:telemetry, "~> 1.0"},
-      {:plug_cowboy, "~> 2.5"},
-      {:credo, "~> 1.5", only: [:dev, :test], runtime: false},
-      {:remote_ip, "~> 1.0"},
-      {:bureaucrat, "~> 0.2.9", only: :test}
+      # Used in Swoosh SMTP adapter
+      {:gen_smtp, "~> 1.0"},
+
+      # Test and dev deps
+      {:bypass, "~> 2.1", only: :test},
+      {:wallaby, "~> 0.30.0", only: :test},
+      {:bureaucrat, "~> 0.2.9", only: :test},
+      {:floki, "~> 0.34.0"}
     ]
   end
 
-  # Aliases are shortcuts or tasks specific to the current project.
-  # For example, to create, migrate and run the seeds file at once:
-  #
-  #     $ mix ecto.setup
-  #
-  # See the documentation for `Mix` for more info on aliases.
   defp aliases do
     [
       "ecto.seed": ["ecto.create", "ecto.migrate", "run priv/repo/seeds.exs"],
diff --git a/apps/fz_http/priv/repo/migrations/20230104000803_add_users_sign_in_token_hash.exs b/apps/fz_http/priv/repo/migrations/20230104000803_add_users_sign_in_token_hash.exs
new file mode 100644
index 000000000..1ce9693eb
--- /dev/null
+++ b/apps/fz_http/priv/repo/migrations/20230104000803_add_users_sign_in_token_hash.exs
@@ -0,0 +1,10 @@
+defmodule FzHttp.Repo.Migrations.AddUsersSignInTokenHash do
+  use Ecto.Migration
+
+  def change do
+    alter table(:users) do
+      remove(:sign_in_token, :string)
+      add(:sign_in_token_hash, :string)
+    end
+  end
+end
diff --git a/apps/fz_http/priv/repo/migrations/20230104181853_change_users_email_to_citext.exs b/apps/fz_http/priv/repo/migrations/20230104181853_change_users_email_to_citext.exs
new file mode 100644
index 000000000..7005deeee
--- /dev/null
+++ b/apps/fz_http/priv/repo/migrations/20230104181853_change_users_email_to_citext.exs
@@ -0,0 +1,11 @@
+defmodule FzHttp.Repo.Migrations.ChangeUsersEmailToCitext do
+  use Ecto.Migration
+
+  def change do
+    execute("CREATE EXTENSION IF NOT EXISTS citext")
+
+    alter table(:users) do
+      modify(:email, :citext)
+    end
+  end
+end
diff --git a/apps/fz_http/test/fz_http/connectivity_check_service_test.exs b/apps/fz_http/test/fz_http/connectivity_check_service_test.exs
index ccf5bf384..c6c154cd1 100644
--- a/apps/fz_http/test/fz_http/connectivity_check_service_test.exs
+++ b/apps/fz_http/test/fz_http/connectivity_check_service_test.exs
@@ -24,7 +24,6 @@ defmodule FzHttp.ConnectivityCheckServiceTest do
     @expected_response %{reason: :nxdomain}
     @url "invalid-url"
 
-    @tag capture_log: true
     test "returns error reason" do
       assert @expected_response = ConnectivityCheckService.post_request(@url)
       assert ConnectivityChecks.list_connectivity_checks() == []
diff --git a/apps/fz_http/test/fz_http/devices_test.exs b/apps/fz_http/test/fz_http/devices_test.exs
index 066423722..bbc8939df 100644
--- a/apps/fz_http/test/fz_http/devices_test.exs
+++ b/apps/fz_http/test/fz_http/devices_test.exs
@@ -108,7 +108,7 @@ defmodule FzHttp.DevicesTest do
     end
 
     test "shows devices scoped to a user", %{device: device} do
-      user = Users.get_user!(device.user_id)
+      user = Users.fetch_user_by_id!(device.user_id)
       assert Devices.list_devices(user) == [device]
     end
   end
diff --git a/apps/fz_http/test/fz_http/oidc/refresher_test.exs b/apps/fz_http/test/fz_http/oidc/refresher_test.exs
index f6bce4f4b..f0a9624ed 100644
--- a/apps/fz_http/test/fz_http/oidc/refresher_test.exs
+++ b/apps/fz_http/test/fz_http/oidc/refresher_test.exs
@@ -1,57 +1,44 @@
 defmodule FzHttp.OIDC.RefresherTest do
   use FzHttp.DataCase, async: true
-
-  import Mox
-
   alias FzHttp.{OIDC.Refresher, Repo}
 
   setup :create_user
 
   setup %{user: user} do
+    {bypass, [provider_attrs]} = FzHttp.ConfigurationsFixtures.start_openid_providers(["google"])
+
     conn =
       Repo.insert!(%FzHttp.OIDC.Connection{
         user_id: user.id,
-        provider: "test",
+        provider: "google",
         refresh_token: "REFRESH_TOKEN"
       })
 
-    {:ok, conn: conn}
+    {:ok, conn: conn, bypass: bypass, provider_attrs: provider_attrs}
   end
 
   describe "refresh failed" do
-    setup do
-      expect(OpenIDConnect.Mock, :fetch_tokens, fn _, _ ->
-        {:error, :fetch_tokens, "TEST_ERROR"}
-      end)
+    test "disable user", %{user: user, conn: conn, bypass: bypass} do
+      FzHttp.ConfigurationsFixtures.expect_refresh_token_failure(bypass)
 
-      :ok
-    end
-
-    test "disable user", %{user: user, conn: conn} do
-      Refresher.refresh(user.id)
+      assert Refresher.refresh(user.id) == {:stop, :shutdown, user.id}
       user = Repo.reload(user)
-      conn = Repo.reload(conn)
-
       assert user.disabled_at
+
+      conn = Repo.reload(conn)
       assert %{"error" => _} = conn.refresh_response
     end
   end
 
   describe "refresh succeeded" do
-    setup do
-      expect(OpenIDConnect.Mock, :fetch_tokens, fn _, _ ->
-        {:ok, %{data: "success"}}
-      end)
+    test "does not change user", %{user: user, conn: conn, bypass: bypass} do
+      FzHttp.ConfigurationsFixtures.expect_refresh_token(bypass)
 
-      :ok
-    end
-
-    test "does not change user", %{user: user, conn: conn} do
-      Refresher.refresh(user.id)
+      assert Refresher.refresh(user.id) == {:stop, :shutdown, user.id}
       user = Repo.reload(user)
-      conn = Repo.reload(conn)
-
       refute user.disabled_at
+
+      conn = Repo.reload(conn)
       refute match?(%{"error" => _}, conn.refresh_response)
     end
   end
diff --git a/apps/fz_http/test/fz_http/release_test.exs b/apps/fz_http/test/fz_http/release_test.exs
index 696449274..cec554001 100644
--- a/apps/fz_http/test/fz_http/release_test.exs
+++ b/apps/fz_http/test/fz_http/release_test.exs
@@ -23,8 +23,9 @@ defmodule FzHttp.ReleaseTest do
   describe "create_admin_user/0" do
     test "creates admin when none exists" do
       Release.create_admin_user()
-      user = Users.get_user!(email: Application.fetch_env!(:fz_http, :admin_email))
-      assert %User{} = user
+
+      assert {:ok, %User{}} =
+               Users.fetch_user_by_email(Application.fetch_env!(:fz_http, :admin_email))
     end
 
     test "reset admin password when user exists" do
@@ -54,7 +55,7 @@ defmodule FzHttp.ReleaseTest do
 
     test "changes password", %{user: user} do
       Release.change_password(user.email, "this password should be different")
-      new_user = Users.get_user!(email: user.email)
+      assert {:ok, new_user} = Users.fetch_user_by_email(user.email)
 
       assert new_user.password_hash != user.password_hash
     end
diff --git a/apps/fz_http/test/fz_http/telemetry_test.exs b/apps/fz_http/test/fz_http/telemetry_test.exs
index e27e19dc7..911e9e559 100644
--- a/apps/fz_http/test/fz_http/telemetry_test.exs
+++ b/apps/fz_http/test/fz_http/telemetry_test.exs
@@ -41,10 +41,15 @@ defmodule FzHttp.TelemetryTest do
 
   describe "auth" do
     test "count openid providers" do
-      FzHttp.Configurations.put!(
-        :openid_connect_providers,
-        FzHttp.ConfigurationsFixtures.openid_connect_providers_attrs()
-      )
+      FzHttp.ConfigurationsFixtures.start_openid_providers([
+        "google",
+        "okta",
+        "auth0",
+        "azure",
+        "onelogin",
+        "keycloak",
+        "vault"
+      ])
 
       ping_data = Telemetry.ping_data()
 
diff --git a/apps/fz_http/test/fz_http/users_test.exs b/apps/fz_http/test/fz_http/users_test.exs
index 0f1f5d06a..2a644179b 100644
--- a/apps/fz_http/test/fz_http/users_test.exs
+++ b/apps/fz_http/test/fz_http/users_test.exs
@@ -1,308 +1,520 @@
 defmodule FzHttp.UsersTest do
   use FzHttp.DataCase, async: true
-
-  alias FzHttp.{Repo, Users}
+  alias FzHttp.UsersFixtures
+  alias FzHttp.DevicesFixtures
+  alias FzHttp.Configurations
+  alias FzHttp.Users
 
   describe "count/0" do
-    setup :create_user
-
     test "returns correct count of all users" do
+      assert Users.count() == 0
+
+      UsersFixtures.create_user()
       assert Users.count() == 1
+
+      UsersFixtures.create_user()
+      assert Users.count() == 2
     end
   end
 
-  describe "count/1" do
-    setup :create_users
-
-    @tag count: 3
-    test "returns the correct count of admin users" do
-      assert Users.count(role: :admin) == 3
+  describe "count_by_role/0" do
+    test "returns 0 when there are no users" do
+      assert Users.count_by_role(:unprivileged) == 0
+      assert Users.count_by_role(:admin) == 0
     end
 
-    @tag count: 7, role: :unprivileged
-    test "returns the correct count of unprivileged users" do
-      assert Users.count(role: :unprivileged) == 7
+    test "returns correct count of admin users" do
+      UsersFixtures.create_user_with_role(:admin)
+      assert Users.count_by_role(:admin) == 1
+      assert Users.count_by_role(:unprivileged) == 0
+
+      UsersFixtures.create_user_with_role(:unprivileged)
+      assert Users.count_by_role(:admin) == 1
+      assert Users.count_by_role(:unprivileged) == 1
+
+      for _ <- 1..5, do: UsersFixtures.create_user_with_role(:unprivileged)
+      assert Users.count_by_role(:admin) == 1
+      assert Users.count_by_role(:unprivileged) == 6
     end
   end
 
-  describe "trimmed fields" do
-    test "trims expected fields" do
-      changeset =
-        Users.User.create_changeset(struct(Users.User), %{
-          "email" => " foo "
-        })
+  describe "fetch_user_by_id/1" do
+    test "returns error when user is not found" do
+      assert Users.fetch_user_by_id(Ecto.UUID.generate()) == {:error, :not_found}
+    end
 
-      assert %Ecto.Changeset{
-               changes: %{
-                 email: "foo"
-               }
-             } = changeset
+    test "returns error when id is not a valid UUIDv4" do
+      assert Users.fetch_user_by_id("foo") == {:error, :not_found}
+    end
+
+    test "returns user" do
+      user = UsersFixtures.create_user()
+      assert {:ok, returned_user} = Users.fetch_user_by_id(user.id)
+      assert returned_user.id == user.id
     end
   end
 
-  describe "consume_sign_in_token/1 valid token" do
-    setup [:create_user_with_valid_sign_in_token]
+  describe "fetch_user_by_id!/1" do
+    test "raises when user is not found" do
+      assert_raise(Ecto.NoResultsError, fn ->
+        Users.fetch_user_by_id!(Ecto.UUID.generate())
+      end)
+    end
 
-    test "returns user when token is valid", %{user: user} do
-      {:ok, signed_in_user} = Users.consume_sign_in_token(user.sign_in_token)
+    test "raises when id is not a valid UUIDv4" do
+      assert_raise(Ecto.Query.CastError, fn ->
+        assert Users.fetch_user_by_id!("foo")
+      end)
+    end
 
+    test "returns user" do
+      user = UsersFixtures.create_user()
+      assert returned_user = Users.fetch_user_by_id!(user.id)
+      assert returned_user.id == user.id
+    end
+  end
+
+  describe "fetch_user_by_email/1" do
+    test "returns error when user is not found" do
+      assert Users.fetch_user_by_email("foo@bar") == {:error, :not_found}
+    end
+
+    test "returns user" do
+      user = UsersFixtures.create_user()
+      assert {:ok, returned_user} = Users.fetch_user_by_email(user.email)
+      assert returned_user.id == user.id
+    end
+
+    test "email is not case sensitive" do
+      user = UsersFixtures.create_user()
+      assert {:ok, user} = Users.fetch_user_by_email(String.upcase(user.email))
+      assert {:ok, ^user} = Users.fetch_user_by_email(String.downcase(user.email))
+    end
+  end
+
+  describe "fetch_user_by_id_or_email/1" do
+    test "returns error when user is not found" do
+      assert Users.fetch_user_by_id_or_email(Ecto.UUID.generate()) == {:error, :not_found}
+      assert Users.fetch_user_by_id_or_email("foo@bar.com") == {:error, :not_found}
+      assert Users.fetch_user_by_id_or_email("foo") == {:error, :not_found}
+    end
+
+    test "returns user by id" do
+      user = UsersFixtures.create_user()
+      assert {:ok, returned_user} = Users.fetch_user_by_id(user.id)
+      assert returned_user.id == user.id
+    end
+
+    test "returns user by email" do
+      user = UsersFixtures.create_user()
+      assert {:ok, returned_user} = Users.fetch_user_by_email(user.email)
+      assert returned_user.id == user.id
+    end
+  end
+
+  describe "list_users/1" do
+    test "returns empty list when there are not users" do
+      assert Users.list_users() == []
+      assert Users.list_users(hydrate: [:device_count]) == []
+    end
+
+    test "returns list of users in all roles" do
+      user1 = UsersFixtures.create_user_with_role(:admin)
+      user2 = UsersFixtures.create_user_with_role(:unprivileged)
+
+      assert users = Users.list_users()
+      assert length(users) == 2
+      assert Enum.sort(Enum.map(users, & &1.id)) == Enum.sort([user1.id, user2.id])
+    end
+
+    test "hydrates users with device count" do
+      user1 = UsersFixtures.create_user_with_role(:admin)
+      DevicesFixtures.create_device_for_user(user1)
+
+      user2 = UsersFixtures.create_user_with_role(:unprivileged)
+      DevicesFixtures.create_device_for_user(user2)
+      DevicesFixtures.create_device_for_user(user2)
+
+      assert users = Users.list_users(hydrate: [:device_count])
+      assert length(users) == 2
+
+      assert Enum.sort(Enum.map(users, &{&1.id, &1.device_count})) ==
+               Enum.sort([{user1.id, 1}, {user2.id, 2}])
+
+      assert users = Users.list_users(hydrate: [:device_count, :device_count])
+
+      assert Enum.sort(Enum.map(users, &{&1.id, &1.device_count})) ==
+               Enum.sort([{user1.id, 1}, {user2.id, 2}])
+    end
+  end
+
+  describe "request_sign_in_token/1" do
+    test "returns user with updated sign-in token" do
+      user = UsersFixtures.create_user()
+      refute user.sign_in_token_hash
+
+      assert {:ok, user} = Users.request_sign_in_token(user)
+      assert user.sign_in_token
+      assert user.sign_in_token_hash
+      assert user.sign_in_token_created_at
+    end
+  end
+
+  describe "consume_sign_in_token/1" do
+    test "returns user when token is valid" do
+      {:ok, user} =
+        UsersFixtures.create_user()
+        |> Users.request_sign_in_token()
+
+      assert {:ok, signed_in_user} = Users.consume_sign_in_token(user, user.sign_in_token)
       assert signed_in_user.id == user.id
     end
 
-    test "clears the sign in token when consumed", %{user: user} do
-      Users.consume_sign_in_token(user.sign_in_token)
+    test "clears the sign in token when consumed" do
+      {:ok, user} =
+        UsersFixtures.create_user()
+        |> Users.request_sign_in_token()
 
-      assert is_nil(Users.get_user!(user.id).sign_in_token)
-      assert is_nil(Users.get_user!(user.id).sign_in_token_created_at)
+      assert {:ok, user} = Users.consume_sign_in_token(user, user.sign_in_token)
+      assert is_nil(user.sign_in_token)
+      assert is_nil(user.sign_in_token_created_at)
+
+      assert user = Repo.one(Users.User)
+      assert is_nil(user.sign_in_token)
+      assert is_nil(user.sign_in_token_created_at)
+    end
+
+    test "returns error when token doesn't exist" do
+      user = UsersFixtures.create_user()
+
+      assert Users.consume_sign_in_token(user, "foo") == {:error, :no_token}
+    end
+
+    test "token expires in one hour" do
+      about_one_hour_ago =
+        DateTime.utc_now()
+        |> DateTime.add(-1, :hour)
+        |> DateTime.add(30, :second)
+
+      {:ok, user} =
+        UsersFixtures.create_user()
+        |> Users.request_sign_in_token()
+
+      user
+      |> Ecto.Changeset.change(sign_in_token_created_at: about_one_hour_ago)
+      |> Repo.update!()
+
+      assert {:ok, _user} = Users.consume_sign_in_token(user, user.sign_in_token)
+    end
+
+    test "returns error when token is expired" do
+      one_hour_and_one_second_ago =
+        DateTime.utc_now()
+        |> DateTime.add(-1, :hour)
+        |> DateTime.add(-1, :second)
+
+      {:ok, user} =
+        UsersFixtures.create_user()
+        |> Users.request_sign_in_token()
+
+      user =
+        user
+        |> Ecto.Changeset.change(sign_in_token_created_at: one_hour_and_one_second_ago)
+        |> Repo.update!()
+
+      assert Users.consume_sign_in_token(user, user.sign_in_token) == {:error, :token_expired}
     end
   end
 
-  describe "consume_sign_in_token/1 invalid token" do
-    setup [:create_user_with_expired_sign_in_token]
+  describe "create_user/2" do
+    test "returns changeset error when attrs are missing" do
+      assert {:error, changeset} = Users.create_user(%{})
+      refute changeset.valid?
 
-    test "returns {:error, msg} when token doesn't exist", %{user: _user} do
-      assert {:error, "Token invalid."} = Users.consume_sign_in_token("blah")
+      assert errors_on(changeset) == %{email: ["can't be blank"]}
     end
 
-    test "returns {:error, msg} when token is expired", %{user: user} do
-      assert {:error, "Token invalid."} = Users.consume_sign_in_token(user.sign_in_token)
-    end
-  end
+    test "returns error on invalid attrs" do
+      assert {:error, changeset} = Users.create_user(%{email: "invalid_email", password: "short"})
+      refute changeset.valid?
 
-  describe "get_user!/1" do
-    setup [:create_user]
-
-    test "gets user by id", %{user: user} do
-      assert Users.get_user!(user.id).id == user.id
-    end
-
-    test "raises Ecto.NoResultsError for missing Users", %{user: _user} do
-      assert_raise(Ecto.NoResultsError, fn ->
-        Users.get_user!(Ecto.UUID.generate())
-      end)
-    end
-  end
-
-  describe "get_user/1" do
-    setup [:create_user]
-
-    test "returns user if found", %{user: user} do
-      assert Users.get_user(user.id).id == user.id
-    end
-
-    test "returns nil if not found" do
-      assert nil == Users.get_user(Ecto.UUID.generate())
-    end
-  end
-
-  describe "create_user/1" do
-    @valid_attrs_map %{
-      email: "valid@test",
-      password: "password1234",
-      password_confirmation: "password1234"
-    }
-    @valid_attrs_list [
-      email: "valid@test",
-      password: "password1234",
-      password_confirmation: "password1234"
-    ]
-    @invalid_attrs_map %{
-      email: "invalid_email",
-      password: "password1234",
-      password_confirmation: "password1234"
-    }
-    @invalid_attrs_list [
-      email: "valid@test",
-      password: "password1234",
-      password_confirmation: "different_password1234"
-    ]
-    @too_short_password [
-      email: "valid@test",
-      password: "short11",
-      password_confirmation: "short11"
-    ]
-    @too_long_password [
-      email: "valid@test",
-      password: String.duplicate("a", 65),
-      password_confirmation: String.duplicate("a", 65)
-    ]
-
-    test "doesn't create user with password too short" do
-      assert {:error, changeset} = Users.create_admin_user(@too_short_password)
-
-      assert changeset.errors[:password] == {
-               "should be at least %{count} character(s)",
-               [count: 12, validation: :length, kind: :min, type: :string]
+      assert errors_on(changeset) == %{
+               email: ["is invalid email address"],
+               password: ["should be at least 12 character(s)"],
+               password_confirmation: ["can't be blank"]
              }
+
+      assert {:error, changeset} =
+               Users.create_user(%{email: "invalid_email", password: String.duplicate("A", 65)})
+
+      refute changeset.valid?
+      assert "should be at most 64 character(s)" in errors_on(changeset).password
+
+      assert {:error, changeset} = Users.create_user(%{email: String.duplicate(" ", 18)})
+      refute changeset.valid?
+
+      assert "can't be blank" in errors_on(changeset).email
     end
 
-    test "doesn't create user with password too long" do
-      assert {:error, changeset} = Users.create_admin_user(@too_long_password)
+    test "requires password confirmation to match the password" do
+      assert {:error, changeset} =
+               Users.create_user(%{password: "foo", password_confirmation: "bar"})
 
-      assert changeset.errors[:password] == {
-               "should be at most %{count} character(s)",
-               [count: 64, validation: :length, kind: :max, type: :string]
-             }
+      assert "does not match confirmation" in errors_on(changeset).password_confirmation
+
+      assert {:error, changeset} =
+               Users.create_user(%{
+                 password: "password1234",
+                 password_confirmation: "password1234"
+               })
+
+      refute Map.has_key?(errors_on(changeset), :password_confirmation)
     end
 
-    test "creates user with valid map of attributes" do
-      assert {:ok, _user} = Users.create_admin_user(@valid_attrs_map)
+    test "returns error when email is already taken" do
+      attrs = UsersFixtures.user_attrs()
+      assert {:ok, _user} = Users.create_user(attrs)
+      assert {:error, changeset} = Users.create_user(attrs)
+      refute changeset.valid?
+      assert "has already been taken" in errors_on(changeset).email
     end
 
-    test "creates user with valid list of attributes" do
-      assert {:ok, _user} = Users.create_admin_user(@valid_attrs_list)
+    test "returns error when role is invalid" do
+      attrs = UsersFixtures.user_attrs()
+
+      assert_raise Ecto.ChangeError, fn ->
+        Users.create_user(attrs, :foo)
+      end
     end
 
-    test "doesn't create user with invalid map of attributes" do
-      assert {:error, _changeset} = Users.create_admin_user(@invalid_attrs_map)
+    test "creates a user in given role" do
+      for role <- [:admin, :unprivileged] do
+        attrs = UsersFixtures.user_attrs()
+        assert {:ok, user} = Users.create_user(attrs, role)
+        assert user.role == role
+      end
     end
 
-    test "doesn't create user with invalid list of attributes" do
-      assert {:error, _changeset} = Users.create_admin_user(@invalid_attrs_list)
+    test "creates an unprivileged user" do
+      attrs = UsersFixtures.user_attrs()
+      assert {:ok, user} = Users.create_user(attrs)
+      assert user.role == :unprivileged
+      assert user.email == attrs.email
+
+      assert FzCommon.FzCrypto.equal?(attrs.password, user.password_hash)
+      assert is_nil(user.password)
+      assert is_nil(user.password_confirmation)
+
+      assert is_nil(user.last_signed_in_at)
+      assert is_nil(user.last_signed_in_method)
+      assert is_nil(user.sign_in_token)
+      assert is_nil(user.sign_in_token_hash)
+      assert is_nil(user.sign_in_token_created_at)
+    end
+
+    test "allows creating a user without password" do
+      email = UsersFixtures.user_attrs().email
+      attrs = %{email: email, password: nil, password_confirmation: nil}
+      assert {:ok, user} = Users.create_user(attrs)
+      assert is_nil(user.password_hash)
+
+      email = UsersFixtures.user_attrs().email
+      attrs = %{email: email, password: "", password_confirmation: ""}
+      assert {:ok, user} = Users.create_user(attrs)
+      assert is_nil(user.password_hash)
+    end
+
+    test "trims email" do
+      attrs = UsersFixtures.user_attrs()
+
+      assert {:ok, user} =
+               attrs
+               |> Map.put(:email, " #{attrs.email} ")
+               |> Users.create_user()
+
+      assert user.email == attrs.email
     end
   end
 
-  describe "sign_in_keys/0" do
-    test "generates sign in token and created at" do
-      params = Users.sign_in_keys()
-
-      assert is_binary(params.sign_in_token)
-      assert %DateTime{} = params.sign_in_token_created_at
-    end
-  end
-
-  @change_password_valid_params %{
-    password: "new_password",
-    password_confirmation: "new_password",
-    current_password: "password1234"
-  }
-  @change_password_invalid_params %{
-    "password" => "new_password",
-    "password_confirmation" => "new_password",
-    "current_password" => "invalid"
-  }
-  @password_params %{"password" => "new_password", "password_confirmation" => "new_password"}
-  @email_params %{"email" => "new_email@test", "current_password" => "password1234"}
-  @email_and_password_params %{
-    "password" => "new_password",
-    "password_confirmation" => "new_password",
-    "email" => "new_email@test",
-    "current_password" => "password1234"
-  }
-  @clear_hash_params %{"password_hash" => nil, "current_password" => "password1234"}
-  @empty_password_params %{
-    "password" => nil,
-    "password_confirmation" => nil,
-    "current_password" => "password1234"
-  }
-  @email_empty_password_params %{
-    "email" => "foobar@test",
-    "password" => "",
-    "password_confirmation" => "",
-    "current_password" => "password1234"
-  }
-
   describe "admin_update_user/2" do
-    setup :create_user
-
-    test "changes password", %{user: user} do
-      {:ok, new_user} = Users.admin_update_user(user, @password_params)
-      assert new_user.password_hash != user.password_hash
+    test "returns ok on empty attrs" do
+      user = UsersFixtures.create_user()
+      assert {:ok, _user} = Users.admin_update_user(user, %{})
     end
 
-    test "prevents clearing the password", %{user: user} do
-      {:ok, new_user} = Users.admin_update_user(user, @clear_hash_params)
-      assert new_user.password_hash == user.password_hash
+    test "allows changing user password" do
+      user = UsersFixtures.create_user()
+
+      attrs =
+        UsersFixtures.user_attrs()
+        |> Map.take([:password, :password_confirmation])
+
+      assert {:ok, updated_user} = Users.admin_update_user(user, attrs)
+
+      assert updated_user.password_hash != user.password_hash
     end
 
-    test "nil password params", %{user: user} do
-      {:ok, new_user} = Users.admin_update_user(user, @empty_password_params)
-      assert new_user.password_hash == user.password_hash
+    test "allows changing user email" do
+      user = UsersFixtures.create_user()
+
+      attrs =
+        UsersFixtures.user_attrs()
+        |> Map.take([:email])
+
+      assert {:ok, updated_user} = Users.admin_update_user(user, attrs)
+
+      assert updated_user.email == attrs.email
+      assert updated_user.email != user.email
     end
 
-    test "changes email", %{user: user} do
-      {:ok, new_user} = Users.admin_update_user(user, @email_params)
-      assert new_user.email == "new_email@test"
+    # XXX: This doesn't feel right as the outcome is a completely new user
+    test "allows changing both email and password" do
+      user = UsersFixtures.create_user()
+      attrs = UsersFixtures.user_attrs()
+
+      assert {:ok, updated_user} = Users.admin_update_user(user, attrs)
+
+      assert updated_user.password_hash != user.password_hash
+      assert updated_user.email != user.email
     end
 
-    test "handles empty params", %{user: user} do
-      assert {:ok, _new_user} = Users.admin_update_user(user, %{})
-    end
+    test "does not allow to clear the password" do
+      password = "password1234"
+      user = UsersFixtures.create_user(%{password: password})
 
-    test "handles nil password", %{user: user} do
-      assert {:ok, _new_user} = Users.admin_update_user(user, @email_empty_password_params)
-    end
+      attrs = %{
+        "password" => nil,
+        "password_hash" => nil
+      }
 
-    test "changes email and password", %{user: user} do
-      {:ok, new_user} = Users.admin_update_user(user, @email_and_password_params)
-      assert new_user.email == "new_email@test"
-      assert new_user.password_hash != user.password_hash
+      assert {:ok, updated_user} = Users.admin_update_user(user, attrs)
+      assert updated_user.password_hash == user.password_hash
+
+      attrs = %{
+        "password" => "",
+        "password_hash" => ""
+      }
+
+      assert {:ok, updated_user} = Users.admin_update_user(user, attrs)
+      assert updated_user.password_hash == user.password_hash
     end
   end
 
   describe "unprivileged_update_self/2" do
-    setup :create_user
-
-    test "changes password", %{user: user} do
-      {:ok, new_user} = Users.unprivileged_update_self(user, @password_params)
-      assert new_user.password_hash != user.password_hash
+    test "returns ok on empty attrs" do
+      user = UsersFixtures.create_user()
+      assert {:ok, _user} = Users.unprivileged_update_self(user, %{})
     end
 
-    test "prevents clearing the password", %{user: user} do
-      assert {:error, _changeset} = Users.unprivileged_update_self(user, @clear_hash_params)
+    test "allows changing user password" do
+      user = UsersFixtures.create_user()
+
+      attrs =
+        UsersFixtures.user_attrs()
+        |> Map.take([:password, :password_confirmation])
+
+      assert {:ok, updated_user} = Users.unprivileged_update_self(user, attrs)
+
+      assert updated_user.password_hash != user.password_hash
     end
 
-    test "prevents changing email", %{user: user} do
-      {:ok, new_user} = Users.unprivileged_update_self(user, @email_and_password_params)
-      assert new_user.email == user.email
+    test "does not allow changing user email" do
+      user = UsersFixtures.create_user()
+
+      attrs =
+        UsersFixtures.user_attrs()
+        |> Map.take([:email])
+
+      assert {:ok, updated_user} = Users.unprivileged_update_self(user, attrs)
+
+      assert updated_user.email != attrs.email
+      assert updated_user.email == user.email
+    end
+
+    test "does not allow to clear the password" do
+      password = "password1234"
+      user = UsersFixtures.create_user(%{password: password})
+
+      attrs = %{
+        "password" => nil,
+        "password_hash" => nil
+      }
+
+      assert {:ok, updated_user} = Users.unprivileged_update_self(user, attrs)
+      assert updated_user.password_hash == user.password_hash
+
+      attrs = %{
+        "password" => "",
+        "password_hash" => ""
+      }
+
+      assert {:ok, updated_user} = Users.unprivileged_update_self(user, attrs)
+      assert updated_user.password_hash == user.password_hash
     end
   end
 
-  describe "admin_update_self/2" do
-    setup :create_user
-
-    test "does not change password when current_password invalid", %{user: user} do
-      {:error, changeset} = Users.admin_update_self(user, @change_password_invalid_params)
-      assert [current_password: _] = changeset.errors
+  describe "update_user_role/2" do
+    test "allows to change user role" do
+      user = UsersFixtures.create_user()
+      assert {:ok, %{role: :unprivileged}} = Users.update_user_role(user, :unprivileged)
+      assert {:ok, %{role: :admin}} = Users.update_user_role(user, :admin)
     end
 
-    test "changes password when current_password valid", %{user: user} do
-      {:ok, new_user} = Users.admin_update_self(user, @change_password_valid_params)
-      assert new_user.password_hash != user.password_hash
+    test "raises on invalid role" do
+      user = UsersFixtures.create_user()
+
+      assert {:error, changeset} = Users.update_user_role(user, :foo)
+      assert errors_on(changeset) == %{role: ["is invalid"]}
     end
   end
 
-  describe "update_*" do
-    setup :create_user
+  describe "delete_user/1" do
+    test "deletes a user" do
+      user = UsersFixtures.create_user()
+      assert {:ok, _user} = Users.delete_user(user)
+      assert is_nil(Repo.one(Users.User))
+    end
+  end
 
-    @sign_in_token_params %{
-      sign_in_token: "foobar",
-      sign_in_token_created_at: DateTime.utc_now()
-    }
+  describe "change_user/1" do
+    test "returns changeset" do
+      user = UsersFixtures.create_user()
+      assert %Ecto.Changeset{} = Users.change_user(user)
+    end
+  end
 
-    test "update sign_in_token", %{user: user} do
-      {:ok, new_user} = Users.update_user_sign_in_token(user, @sign_in_token_params)
+  describe "as_settings/0" do
+    test "returns list of user-id maps" do
+      assert Users.as_settings() == MapSet.new([])
 
-      assert new_user.sign_in_token == @sign_in_token_params.sign_in_token
+      expected_users =
+        [
+          UsersFixtures.create_user(),
+          UsersFixtures.create_user()
+        ]
+        |> Enum.map(& &1.id)
 
-      {:ok, new_user} =
-        Users.update_user_sign_in_token(new_user, %{
-          sign_in_token: nil,
-          sign_in_token_created_at: nil
-        })
+      assert Users.as_settings() == MapSet.new(expected_users)
+    end
+  end
 
-      assert is_nil(new_user.sign_in_token)
+  describe "setting_projection/1" do
+    test "projects expected fields with user" do
+      user = UsersFixtures.create_user()
+      assert user.id == Users.setting_projection(user)
     end
 
-    test "update role", %{user: user} do
-      {:ok, user} = Users.update_user_role(user, :admin)
-      assert user.role == :admin
-
-      {:ok, user} = Users.update_user_role(user, :unprivileged)
-      assert user.role == :unprivileged
+    test "projects expected fields with user map" do
+      user = UsersFixtures.create_user()
+      user_map = Map.from_struct(user)
+      assert user.id == Users.setting_projection(user_map)
     end
+  end
+
+  describe "update_last_signed_in/2" do
+    test "updates last_signed_in_* fields" do
+      user = UsersFixtures.create_user()
 
-    test "update last_signed_in_*", %{user: user} do
       {:ok, user} = Users.update_last_signed_in(user, %{provider: :test})
       assert user.last_signed_in_method == "test"
 
@@ -311,81 +523,61 @@ defmodule FzHttp.UsersTest do
     end
   end
 
-  describe "delete_user/1" do
-    setup :create_user
+  describe "vpn_session_expires_at/1" do
+    test "returns expiration datetime of VPN session" do
+      now = DateTime.utc_now()
+      Configurations.put!(:vpn_session_duration, 30)
 
-    test "raises Ecto.NoResultsError when a deleted user is fetched", %{user: user} do
-      Users.delete_user(user)
+      user =
+        UsersFixtures.create_user()
+        |> change(%{last_signed_in_at: now})
+        |> Repo.update!()
 
-      assert_raise(Ecto.NoResultsError, fn ->
-        Users.get_user!(user.id)
-      end)
+      assert DateTime.diff(Users.vpn_session_expires_at(user), now, :second) in 28..32
     end
   end
 
-  describe "change_user/1" do
-    setup :create_user
-
-    test "returns changeset", %{user: user} do
-      assert %Ecto.Changeset{} = Users.change_user(user)
-    end
-  end
-
-  describe "new_user/0" do
-    test "returns changeset" do
-      assert %Ecto.Changeset{} = Users.new_user()
-    end
-  end
-
-  describe "enable_vpn_connection/2" do
-    import Ecto.Changeset
-
-    setup :create_user
-
-    setup %{user: user} do
-      user = user |> change |> put_change(:disabled_at, DateTime.utc_now()) |> Repo.update!()
-      {:ok, user: user}
+  describe "vpn_session_expired?/1" do
+    test "returns false when user did not sign in" do
+      Configurations.put!(:vpn_session_duration, 30)
+      user = UsersFixtures.create_user()
+      assert Users.vpn_session_expired?(user) == false
     end
 
-    @tag role: :unprivileged
-    test "enable via OIDC", %{user: user} do
-      Users.enable_vpn_connection(user, %{provider: :oidc})
+    test "returns false when VPN session is not expired" do
+      Configurations.put!(:vpn_session_duration, 30)
+      user = UsersFixtures.create_user()
 
-      user = Repo.reload(user)
+      user =
+        user
+        |> change(%{last_signed_in_at: DateTime.utc_now()})
+        |> Repo.update!()
 
-      assert %{disabled_at: nil} = user
+      assert Users.vpn_session_expired?(user) == false
     end
 
-    @tag role: :unprivileged
-    test "no change via password", %{user: user} do
-      Users.enable_vpn_connection(user, %{provider: :identity})
+    test "returns true when VPN session is expired" do
+      Configurations.put!(:vpn_session_duration, 30)
+      user = UsersFixtures.create_user()
 
-      user = Repo.reload(user)
+      user =
+        user
+        |> change(%{last_signed_in_at: DateTime.utc_now() |> DateTime.add(-31, :second)})
+        |> Repo.update!()
 
-      assert user.disabled_at
-    end
-  end
-
-  describe "setting_projection/1" do
-    setup [:create_rule_with_user_and_device]
-
-    test "projects expected fields with user", %{user: user} do
-      assert user.id == Users.setting_projection(user)
+      assert Users.vpn_session_expired?(user) == true
     end
 
-    test "projects expected fields with user map", %{user: user} do
-      user_map = Map.from_struct(user)
-      assert user.id == Users.setting_projection(user_map)
-    end
-  end
+    test "returns false when VPN session never expires" do
+      Configurations.put!(:vpn_session_duration, 0)
+      user = UsersFixtures.create_user()
 
-  describe "as_settings/0" do
-    setup [:create_rules]
+      user =
+        user
+        |> change(%{last_signed_in_at: ~U[1990-01-01 01:01:01.000001Z]})
+        |> Repo.update!()
 
-    test "Maps rules to projections", %{users: users} do
-      expected_users = Enum.map(users, &Users.setting_projection/1) |> MapSet.new()
-
-      assert Users.as_settings() == expected_users
+      assert Users.vpn_session_expired?(user) == false
     end
   end
 end
diff --git a/apps/fz_http/test/fz_http_web/acceptance/admin_test.exs b/apps/fz_http/test/fz_http_web/acceptance/admin_test.exs
new file mode 100644
index 000000000..dbef633bd
--- /dev/null
+++ b/apps/fz_http/test/fz_http_web/acceptance/admin_test.exs
@@ -0,0 +1,673 @@
+defmodule FzHttpWeb.Acceptance.AdminTest do
+  use FzHttpWeb.AcceptanceCase, async: true
+  alias FzHttp.UsersFixtures
+  alias FzHttp.DevicesFixtures
+
+  setup tags do
+    user = UsersFixtures.create_user_with_role(:admin)
+
+    session =
+      tags.session
+      |> visit(~p"/")
+      |> Auth.authenticate(user)
+
+    tags
+    |> Map.put(:session, session)
+    |> Map.put(:user, user)
+  end
+
+  describe "user management" do
+    feature "create new unprivileged users without password", %{session: session, user: user} do
+      attrs = UsersFixtures.user_attrs()
+
+      session
+      |> visit(~p"/users/new")
+      |> assert_el(Query.text("Add User", minimum: 1))
+      |> fill_in(Query.fillable_field("user[email]"), with: "xxx")
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("is invalid email address"))
+      |> fill_in(Query.fillable_field("user[email]"), with: user.email)
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("has already been taken"))
+      |> fill_in(Query.fillable_field("user[email]"), with: attrs.email)
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("User created successfully."))
+      |> assert_el(Query.text(attrs.email, minimum: 1))
+
+      assert Repo.get_by(FzHttp.Users.User, email: attrs.email)
+    end
+
+    feature "create new unprivileged users with password auth", %{session: session, user: user} do
+      attrs = UsersFixtures.user_attrs()
+
+      session
+      |> visit(~p"/users/new")
+      |> assert_el(Query.text("Add User", minimum: 1))
+      |> fill_form(%{
+        "user[email]" => "xxx",
+        "user[password]" => "yyy",
+        "user[password_confirmation]" => "zzz"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("is invalid email address"))
+      |> assert_el(Query.text("should be at least 12 character(s)"))
+      |> assert_el(Query.text("does not match confirmation"))
+      |> fill_form(%{
+        "user[email]" => user.email,
+        "user[password]" => "firezone1234",
+        "user[password_confirmation]" => "firezone1234"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("has already been taken"))
+      # XXX: for some reason form rests when email has already been taken
+      |> fill_form(%{
+        "user[email]" => attrs.email,
+        "user[password]" => attrs.password,
+        "user[password_confirmation]" => attrs.password_confirmation
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("User created successfully."))
+      |> assert_el(Query.text("unprivileged", minimum: 1))
+      |> assert_el(Query.text(attrs.email, minimum: 1))
+
+      assert user = Repo.get_by(FzHttp.Users.User, email: attrs.email)
+      assert user.role == :unprivileged
+      assert FzCommon.FzCrypto.equal?(attrs.password, user.password_hash)
+    end
+
+    feature "change user email and password", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:admin)
+
+      session
+      |> visit(~p"/users/#{user.id}")
+      |> assert_el(Query.link("Change Email or Password"))
+      |> click(Query.link("Change Email or Password"))
+      |> assert_el(Query.text("Change user email or enter new password below."))
+      |> fill_form(%{
+        "user[email]" => "foo",
+        "user[password]" => "123",
+        "user[password_confirmation]" => "1234"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("is invalid email address"))
+      |> assert_el(Query.text("should be at least 12 character(s)"))
+      |> assert_el(Query.text("does not match confirmation"))
+      |> fill_form(%{
+        "user[email]" => "foo@xample.com",
+        "user[password]" => "mynewpassword",
+        "user[password_confirmation]" => "mynewpassword"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("User updated successfully."))
+
+      assert updated_user = Repo.get(FzHttp.Users.User, user.id)
+      assert updated_user.password_hash != user.password_hash
+      assert updated_user.email == "foo@xample.com"
+    end
+
+    feature "promote and demote users", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:admin)
+
+      session =
+        session
+        |> visit(~p"/users/#{user.id}")
+        |> assert_el(Query.link("Change Email or Password"))
+
+      accept_confirm(session, fn session ->
+        session
+        |> click(Query.button("demote"))
+        |> assert_el(Query.text("User updated successfully."))
+      end)
+
+      assert updated_user = Repo.get(FzHttp.Users.User, user.id)
+      assert updated_user.role == :unprivileged
+
+      accept_confirm(session, fn session ->
+        session
+        |> click(Query.button("promote"))
+        |> assert_el(Query.text("User updated successfully."))
+      end)
+
+      assert updated_user = Repo.get(FzHttp.Users.User, user.id)
+      assert updated_user.role == :admin
+    end
+
+    feature "disable and enable user VPN connection", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:admin)
+
+      session =
+        session
+        |> visit(~p"/users/#{user.id}")
+        |> assert_el(Query.link("Change Email or Password"))
+
+      accept_confirm(session, fn session ->
+        session
+        |> toggle("toggle_disabled_at")
+      end)
+
+      # XXX: We need to show some kind of message when status changed
+      Process.sleep(100)
+
+      assert updated_user = Repo.get(FzHttp.Users.User, user.id)
+      assert updated_user.disabled_at
+
+      accept_confirm(session, fn session ->
+        session
+        |> toggle("toggle_disabled_at")
+      end)
+
+      Process.sleep(100)
+
+      assert updated_user = Repo.get(FzHttp.Users.User, user.id)
+      refute updated_user.disabled_at
+    end
+
+    feature "delete user", %{session: session, user: user} do
+      unprivileged_user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session =
+        session
+        |> visit(~p"/users/#{user.id}")
+        |> assert_el(Query.button("Delete User"))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete User"))
+      end)
+
+      assert_el(session, Query.text("Use the account section to delete your account."))
+
+      assert Repo.get(FzHttp.Users.User, user.id)
+
+      session
+      |> visit(~p"/users/#{unprivileged_user.id}")
+      |> assert_el(Query.button("Delete User"))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete User"))
+      end)
+
+      assert_el(session, Query.text("User deleted successfully."))
+
+      refute Repo.get(FzHttp.Users.User, unprivileged_user.id)
+    end
+  end
+
+  describe "device management" do
+    feature "can add devices for users", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session
+      |> visit(~p"/users/#{user.id}")
+      |> assert_el(Query.text("No devices."))
+      |> assert_el(Query.link("Add Device"))
+      |> click(Query.link("Add Device"))
+      |> assert_el(Query.button("Generate Configuration"))
+      |> set_value(Query.css("#create-device_use_default_allowed_ips_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_dns_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_endpoint_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_mtu_false"), :selected)
+      |> set_value(
+        Query.css("#create-device_use_default_persistent_keepalive_false"),
+        :selected
+      )
+      |> fill_form(%{
+        "device[allowed_ips]" => "127.0.0.1",
+        "device[name]" => "big-leg-007",
+        "device[description]" => "Dummy description",
+        "device[dns]" => "1.1.1.1,2.2.2.2",
+        "device[endpoint]" => "example.com:51820",
+        "device[mtu]" => "1400",
+        "device[persistent_keepalive]" => "10",
+        "device[ipv4]" => "10.10.11.1",
+        "device[ipv6]" => "fd00::1e:3f96"
+      })
+      |> click(Query.button("Generate Configuration"))
+      |> assert_el(Query.text("Device added!"))
+      |> click(Query.css("button[phx-click=\"close\"]"))
+      |> assert_el(Query.link("Add Device"))
+      |> assert_el(Query.link("big-leg-007"))
+
+      assert device = Repo.one(FzHttp.Devices.Device)
+      assert device.name == "big-leg-007"
+      assert device.description == "Dummy description"
+      assert device.allowed_ips == "127.0.0.1"
+      assert device.dns == "1.1.1.1,2.2.2.2"
+      assert device.endpoint == "example.com:51820"
+      assert device.mtu == 1400
+      assert device.persistent_keepalive == 10
+      assert device.ipv4 == %Postgrex.INET{address: {10, 10, 11, 1}}
+      assert device.ipv6 == %Postgrex.INET{address: {64_768, 0, 0, 0, 0, 0, 30, 16_278}}
+    end
+
+    feature "can see devices, their details and delete them", %{session: session} do
+      device1 = DevicesFixtures.device()
+      device2 = DevicesFixtures.device()
+
+      session =
+        session
+        |> visit(~p"/devices")
+        |> assert_el(Query.text("All Devices"))
+        |> assert_el(Query.link(device1.name))
+        |> click(Query.link(device2.name))
+        |> assert_el(Query.text("Danger Zone"))
+        |> assert_el(Query.text(device2.public_key))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete Device #{device2.name}"))
+      end)
+
+      assert_el(session, Query.text("All Devices"))
+
+      assert Repo.aggregate(FzHttp.Devices.Device, :count) == 1
+    end
+  end
+
+  describe "rules" do
+    feature "manage allow rules", %{session: session, user: user} do
+      session =
+        session
+        |> visit(~p"/rules")
+        |> assert_has(Query.text("Egress Rules"))
+        |> find(Query.css("#accept-form"), fn parent ->
+          parent
+          |> set_value(Query.select("rule[port_type]"), "tcp")
+          |> set_value(Query.select("rule[user_id]"), user.email)
+          |> fill_form(%{
+            "rule[destination]" => "8.8.4.4",
+            "rule[port_range]" => "1-8000"
+          })
+          |> click(Query.button("Add"))
+        end)
+        |> assert_has(Query.text("8.8.4.4"))
+        |> assert_has(Query.link("Delete"))
+
+      assert rule = Repo.one(FzHttp.Rules.Rule)
+      assert rule.destination == %Postgrex.INET{address: {8, 8, 4, 4}}
+      assert rule.port_range == "1 - 8000"
+      assert rule.port_type == :tcp
+
+      click(session, Query.link("Delete"))
+
+      # XXX: We need to show a confirmation dialog on delete,
+      # and message once record was saved or deleted.
+      Process.sleep(100)
+      assert is_nil(Repo.one(FzHttp.Rules.Rule))
+    end
+  end
+
+  describe "settings" do
+    feature "change default settings", %{session: session} do
+      session
+      |> visit(~p"/settings/client_defaults")
+      |> assert_el(Query.text("Client Defaults", count: 2))
+      |> fill_form(%{
+        "configuration[default_client_allowed_ips]" => "192.0.0.0/0,::/0",
+        "configuration[default_client_dns]" => "1.1.1.1,2.2.2.2",
+        "configuration[default_client_endpoint]" => "example.com:8123",
+        "configuration[default_client_persistent_keepalive]" => "10",
+        "configuration[default_client_mtu]" => "1234"
+      })
+      |> click(Query.button("Save"))
+      # XXX: We need to show a flash that settings are saved
+      |> visit(~p"/settings/client_defaults")
+      |> assert_el(Query.text("Client Defaults", count: 2))
+
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.default_client_persistent_keepalive == 10
+      assert configuration.default_client_mtu == 1234
+      assert configuration.default_client_endpoint == "example.com:8123"
+      assert configuration.default_client_dns == "1.1.1.1,2.2.2.2"
+      assert configuration.default_client_allowed_ips == "192.0.0.0/0,::/0"
+    end
+  end
+
+  describe "customization" do
+    feature "allows to change logo using a URL", %{session: session} do
+      session
+      |> visit(~p"/settings/customization")
+      |> assert_el(Query.text("Customization", count: 2))
+      |> set_value(Query.css("input[value=\"URL\"]"), :selected)
+      |> fill_in(Query.fillable_field("url"), with: "https://http.cat/200")
+      |> click(Query.button("Save"))
+      |> assert_el(Query.css("img[src=\"https://http.cat/200\"]"))
+
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.logo.url == "https://http.cat/200"
+    end
+  end
+
+  describe "security" do
+    feature "change security settings", %{
+      session: session
+    } do
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.local_auth_enabled == true
+      assert configuration.allow_unprivileged_device_management == true
+      assert configuration.allow_unprivileged_device_configuration == true
+      assert configuration.disable_vpn_on_oidc_error == false
+
+      session
+      |> visit(~p"/settings/security")
+      |> assert_el(Query.text("Security Settings"))
+      |> toggle("local_auth_enabled")
+      |> toggle("allow_unprivileged_device_management")
+      |> toggle("allow_unprivileged_device_configuration")
+      |> toggle("disable_vpn_on_oidc_error")
+      |> assert_el(Query.text("Security Settings"))
+
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.local_auth_enabled == false
+      assert configuration.allow_unprivileged_device_management == false
+      assert configuration.allow_unprivileged_device_configuration == false
+      assert configuration.disable_vpn_on_oidc_error == true
+    end
+
+    feature "change required authentication timeout", %{session: session} do
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.vpn_session_duration == 0
+
+      session
+      |> visit(~p"/settings/security")
+      |> assert_el(Query.text("Security Settings"))
+      |> find(Query.select("configuration[vpn_session_duration]"), fn select ->
+        click(select, Query.option("Every Week"))
+      end)
+      |> click(Query.css("[type=\"submit\""))
+      |> assert_el(Query.text("Security Settings"))
+
+      # XXX: We need to show a flash that settings are saved
+      Process.sleep(200)
+
+      assert configuration = FzHttp.Configurations.get_configuration!()
+      assert configuration.vpn_session_duration == 604_800
+    end
+
+    feature "manage OpenIDConnect providers", %{session: session} do
+      {_bypass, uri} = FzHttp.ConfigurationsFixtures.discovery_document_server()
+
+      # Create
+      session =
+        session
+        |> visit(~p"/settings/security")
+        |> assert_el(Query.text("Security Settings"))
+        |> click(Query.link("Add OpenID Connect Provider"))
+        |> assert_el(Query.text("OIDC Configuration"))
+        |> fill_in(Query.fillable_field("open_id_connect_provider[id]"), with: "oidc-foo-bar")
+        |> fill_in(Query.fillable_field("open_id_connect_provider[label]"), with: "Firebook")
+        |> fill_in(Query.fillable_field("open_id_connect_provider[scope]"),
+          with: "openid email eyes_color"
+        )
+        |> fill_in(Query.fillable_field("open_id_connect_provider[client_id]"), with: "CLIENT_ID")
+        |> fill_in(Query.fillable_field("open_id_connect_provider[client_secret]"),
+          with: "CLIENT_SECRET"
+        )
+        |> fill_in(Query.fillable_field("open_id_connect_provider[discovery_document_uri]"),
+          with: uri
+        )
+        |> fill_in(Query.fillable_field("open_id_connect_provider[redirect_uri]"),
+          with: "http://localhost/redirect"
+        )
+        |> toggle("open_id_connect_provider[auto_create_users]")
+        |> click(Query.css("button[form=\"oidc-form\"]"))
+        |> assert_el(Query.text("Updated successfully."))
+        |> assert_el(Query.text("oidc-foo-bar"))
+        |> assert_el(Query.text("Firebook"))
+
+      assert [open_id_connect_provider] = FzHttp.Configurations.get!(:openid_connect_providers)
+
+      assert open_id_connect_provider ==
+               %FzHttp.Configurations.Configuration.OpenIDConnectProvider{
+                 id: "oidc-foo-bar",
+                 label: "Firebook",
+                 scope: "openid email eyes_color",
+                 response_type: "code",
+                 client_id: "CLIENT_ID",
+                 client_secret: "CLIENT_SECRET",
+                 discovery_document_uri: uri,
+                 redirect_uri: "http://localhost/redirect",
+                 auto_create_users: true
+               }
+
+      # Edit
+      session =
+        session
+        |> click(Query.link("Edit"))
+        |> assert_el(Query.text("OIDC Configuration"))
+        |> fill_in(Query.fillable_field("open_id_connect_provider[label]"), with: "Metabook")
+        |> click(Query.css("button[form=\"oidc-form\"]"))
+        |> assert_el(Query.text("Updated successfully."))
+        |> assert_el(Query.text("Metabook"))
+
+      assert [open_id_connect_provider] = FzHttp.Configurations.get!(:openid_connect_providers)
+      assert open_id_connect_provider.label == "Metabook"
+
+      # Delete
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete"))
+      end)
+
+      assert_el(session, Query.text("Updated successfully."))
+
+      assert FzHttp.Configurations.get!(:openid_connect_providers) == []
+    end
+
+    feature "manage SAML providers", %{session: session} do
+      saml_metadata = FzHttp.SAMLIdentityProviderFixtures.metadata()
+
+      # Create
+      session =
+        session
+        |> visit(~p"/settings/security")
+        |> assert_el(Query.text("Security Settings"))
+        |> click(Query.link("Add SAML Identity Provider"))
+        |> assert_el(Query.text("SAML Configuration"))
+        |> toggle("saml_identity_provider[sign_requests]")
+        |> toggle("saml_identity_provider[sign_metadata]")
+        |> toggle("saml_identity_provider[signed_assertion_in_resp]")
+        |> toggle("saml_identity_provider[signed_envelopes_in_resp]")
+        |> toggle("saml_identity_provider[auto_create_users]")
+        |> fill_in(Query.fillable_field("saml_identity_provider[id]"), with: "foo-bar-buz")
+        |> fill_in(Query.fillable_field("saml_identity_provider[label]"), with: "Sneaky ID")
+        |> fill_in(Query.fillable_field("saml_identity_provider[base_url]"),
+          with: "http://localhost:4002/autX/saml#foo"
+        )
+        |> fill_in(Query.fillable_field("saml_identity_provider[metadata]"),
+          with: saml_metadata
+        )
+        |> click(Query.css("button[form=\"saml-form\"]"))
+        |> assert_el(Query.text("Updated successfully."))
+        |> assert_el(Query.text("foo-bar-buz"))
+        |> assert_el(Query.text("Sneaky ID"))
+
+      assert [saml_identity_provider] = FzHttp.Configurations.get!(:saml_identity_providers)
+
+      assert saml_identity_provider ==
+               %FzHttp.Configurations.Configuration.SAMLIdentityProvider{
+                 id: "foo-bar-buz",
+                 label: "Sneaky ID",
+                 base_url: "http://localhost:4002/autX/saml#foo",
+                 metadata: saml_metadata,
+                 sign_requests: false,
+                 sign_metadata: false,
+                 signed_assertion_in_resp: false,
+                 signed_envelopes_in_resp: false,
+                 auto_create_users: true
+               }
+
+      # Edit
+      session =
+        session
+        |> click(Query.link("Edit"))
+        |> assert_el(Query.text("SAML Configuration"))
+        |> fill_in(Query.fillable_field("saml_identity_provider[label]"), with: "Sneaky XID")
+        |> click(Query.css("button[form=\"saml-form\"]"))
+        |> assert_el(Query.text("Updated successfully."))
+        |> assert_el(Query.text("Sneaky XID"))
+
+      assert [saml_identity_provider] = FzHttp.Configurations.get!(:saml_identity_providers)
+      assert saml_identity_provider.label == "Sneaky XID"
+
+      # Delete
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete"))
+      end)
+
+      assert_el(session, Query.text("Updated successfully."))
+
+      assert FzHttp.Configurations.get!(:saml_identity_providers) == []
+    end
+  end
+
+  describe "profile" do
+    feature "edit profile", %{
+      session: session,
+      user: user
+    } do
+      session
+      |> visit(~p"/settings/account")
+      |> assert_el(Query.link("Change Email or Password"))
+      |> click(Query.link("Change Email or Password"))
+      |> assert_el(Query.text("Edit Account"))
+      |> fill_form(%{
+        "user[email]" => "foo",
+        "user[password]" => "123",
+        "user[password_confirmation]" => "1234"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("is invalid email address"))
+      |> assert_el(Query.text("should be at least 12 character(s)"))
+      |> assert_el(Query.text("does not match confirmation"))
+      |> fill_form(%{
+        "user[email]" => "foo@xample.com",
+        "user[password]" => "mynewpassword",
+        "user[password_confirmation]" => "mynewpassword"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("Account updated successfully."))
+
+      assert updated_user = Repo.one(FzHttp.Users.User)
+      assert updated_user.password_hash != user.password_hash
+      assert updated_user.email == "foo@xample.com"
+    end
+
+    feature "can see active user sessions", %{
+      session: session,
+      user_agent: user_agent
+    } do
+      session
+      |> visit(~p"/settings/account")
+      |> assert_el(Query.text("Active Sessions"))
+      |> assert_el(Query.text(user_agent))
+    end
+
+    feature "can delete own account if there are other admins", %{session: session} do
+      session =
+        session
+        |> visit(~p"/settings/account")
+        |> assert_el(Query.text("Danger Zone"))
+
+      assert attr(session, Query.button("Delete Your Account"), "disabled") ==
+               "true"
+
+      UsersFixtures.create_user_with_role(:admin)
+
+      session =
+        session
+        |> visit(~p"/settings/account")
+        |> assert_el(Query.text("Danger Zone"))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete Your Account"))
+      end)
+
+      session
+      |> Auth.assert_unauthenticated()
+      |> assert_path("/")
+    end
+  end
+
+  describe "api tokens" do
+    feature "create, use using curl and delete API tokens", %{
+      session: session,
+      user: user,
+      user_agent: user_agent
+    } do
+      session =
+        session
+        |> visit(~p"/settings/account")
+        |> assert_el(Query.text("API Tokens"))
+        |> assert_el(Query.text("No API tokens."))
+        |> click(Query.css("[href=\"/settings/account/api_token\"]"))
+        |> assert_el(Query.text("Add API Token", minimum: 1))
+        |> fill_form(%{
+          "api_token[expires_in]" => 1
+        })
+        |> click(Query.button("Save"))
+        |> assert_el(Query.text("API token secret:"))
+
+      api_token_secret = text(session, Query.css("#api-token-secret"))
+      curl_example = text(session, Query.css("#api-usage-example"))
+      curl_example = String.replace(curl_example, ~r/^.*curl/is, "curl")
+
+      assert String.contains?(curl_example, api_token_secret)
+      assert api_token = Repo.one(FzHttp.ApiTokens.ApiToken)
+      assert api_token.user_id == user.id
+
+      args =
+        curl_example
+        |> String.trim_leading("curl ")
+        |> String.replace("\\\n", "")
+        |> String.replace(~r/[ ]+/, " ")
+        |> String.replace("'", "")
+        |> String.split(" ")
+        |> curl_args([])
+
+      args = ["-s", "-H", "User-Agent:#{user_agent}"] ++ args
+      {resp, _} = System.cmd("curl", args, stderr_to_stdout: true)
+
+      assert %{"data" => [%{"id" => user_id}]} = Jason.decode!(resp)
+      assert user_id == user.id
+
+      session =
+        session
+        |> click(Query.css("button[aria-label=\"close\"]"))
+        |> assert_el(Query.text("API Tokens"))
+        |> assert_el(Query.link("Delete"))
+        |> click(Query.link(api_token.id))
+        |> assert_el(Query.text("API token secret:"))
+        |> click(Query.css("button[aria-label=\"close\"]"))
+        |> assert_el(Query.link("Delete"))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.link("Delete"))
+      end)
+
+      assert_el(session, Query.text("No API tokens."))
+
+      assert is_nil(Repo.one(FzHttp.ApiTokens.ApiToken))
+    end
+  end
+
+  defp curl_args([], acc) do
+    acc
+  end
+
+  defp curl_args(["-H", header, "Bearer", token | rest], acc) do
+    acc = acc ++ ["-H", "#{header}Bearer #{token}"]
+    curl_args(rest, acc)
+  end
+
+  defp curl_args(["-H", header, value | rest], acc) do
+    acc = acc ++ ["-H", "#{header}#{value}"]
+    curl_args(rest, acc)
+  end
+
+  defp curl_args(["http" <> _ = url | rest], acc) do
+    acc = acc ++ [url]
+    curl_args(rest, acc)
+  end
+
+  defp curl_args([other | rest], acc) do
+    curl_args(rest, acc ++ [other])
+  end
+end
diff --git a/apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs b/apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs
new file mode 100644
index 000000000..57c3595d1
--- /dev/null
+++ b/apps/fz_http/test/fz_http_web/acceptance/authentication_test.exs
@@ -0,0 +1,414 @@
+defmodule FzHttpWeb.Acceptance.AuthenticationTest do
+  use FzHttpWeb.AcceptanceCase, async: true
+  alias FzHttp.UsersFixtures
+
+  describe "using login and password" do
+    feature "renders error on invalid login or password", %{session: session} do
+      session
+      |> password_login_flow("foo@bar.com", "firezone1234")
+      |> assert_error_flash(
+        "Error signing in: user credentials are invalid or user does not exist"
+      )
+    end
+
+    feature "renders error on invalid password", %{session: session} do
+      user = UsersFixtures.create_user()
+
+      session
+      |> password_login_flow(user.email, "firezone1234")
+      |> assert_error_flash(
+        "Error signing in: user credentials are invalid or user does not exist"
+      )
+      |> Auth.assert_unauthenticated()
+    end
+
+    feature "redirects to /users after successful log in as admin", %{session: session} do
+      password = "firezone1234"
+      user = UsersFixtures.create_user(password: password, password_confirmation: password)
+
+      session
+      |> password_login_flow(user.email, password)
+      |> assert_el(Query.css(".is-user-name span"))
+      |> assert_path("/users")
+      |> Auth.assert_authenticated(user)
+    end
+
+    feature "redirects to /user_devices after successful log in as unprivileged user", %{
+      session: session
+    } do
+      password = "firezone1234"
+
+      user =
+        UsersFixtures.create_user_with_role(
+          [password: password, password_confirmation: password],
+          :unprivileged
+        )
+
+      session
+      |> password_login_flow(user.email, password)
+      |> assert_el(Query.text("Your Devices"))
+      |> assert_path("/user_devices")
+      |> Auth.assert_authenticated(user)
+    end
+  end
+
+  describe "using OIDC provider" do
+    feature "creates a user when auto_create_users is true", %{session: session} do
+      oidc_login = "firezone-1"
+      oidc_password = "firezone1234_oidc"
+      attrs = UsersFixtures.user_attrs()
+
+      :ok = Vault.setup_oidc_provider(@endpoint.url, %{"auto_create_users" => true})
+      :ok = Vault.upsert_user(oidc_login, attrs.email, oidc_password)
+
+      session
+      |> visit(~p"/")
+      |> click(Query.link("OIDC Vault"))
+      |> Vault.userpass_flow(oidc_login, oidc_password)
+      |> assert_el(Query.text("Your Devices"))
+      |> assert_path("/user_devices")
+
+      assert user = FzHttp.Repo.one(FzHttp.Users.User)
+      assert user.email == attrs.email
+      assert user.role == :unprivileged
+      assert user.last_signed_in_method == "vault"
+    end
+
+    feature "authenticates existing user", %{session: session} do
+      user = UsersFixtures.create_user()
+
+      oidc_login = "firezone-2"
+      oidc_password = "firezone1234_oidc"
+
+      :ok = Vault.setup_oidc_provider(@endpoint.url, %{"auto_create_users" => false})
+      :ok = Vault.upsert_user(oidc_login, user.email, oidc_password)
+
+      session
+      |> visit(~p"/")
+      |> click(Query.link("OIDC Vault"))
+      |> Vault.userpass_flow(oidc_login, oidc_password)
+      |> find(Query.text("Users", count: 2), fn _ -> :ok end)
+      |> assert_path("/users")
+
+      assert user = FzHttp.Repo.one(FzHttp.Users.User)
+      assert user.email == user.email
+      assert user.role == :admin
+      assert user.last_signed_in_method == "vault"
+    end
+
+    feature "does not create new users when auto_create_users is false", %{session: session} do
+      user_attrs = UsersFixtures.user_attrs()
+
+      oidc_login = "firezone-2"
+      oidc_password = "firezone1234_oidc"
+
+      :ok = Vault.setup_oidc_provider(@endpoint.url, %{"auto_create_users" => false})
+      :ok = Vault.upsert_user(oidc_login, user_attrs.email, oidc_password)
+
+      session
+      |> visit(~p"/")
+      |> click(Query.link("OIDC Vault"))
+      |> Vault.userpass_flow(oidc_login, oidc_password)
+      |> assert_error_flash("Error signing in: user not found and auto_create_users disabled")
+      |> Auth.assert_unauthenticated()
+    end
+
+    feature "allows to use OIDC when password auth is disabled", %{session: session} do
+      user_attrs = UsersFixtures.user_attrs()
+
+      oidc_login = "firezone-2"
+      oidc_password = "firezone1234_oidc"
+
+      :ok = Vault.setup_oidc_provider(@endpoint.url, %{"auto_create_users" => false})
+      :ok = Vault.upsert_user(oidc_login, user_attrs.email, oidc_password)
+
+      FzHttp.Configurations.put!(:local_auth_enabled, false)
+
+      session = visit(session, ~p"/")
+      assert find(session, Query.css(".input", count: 0))
+      assert_el(session, Query.text("Please sign in via one of the methods below."))
+    end
+  end
+
+  describe "MFA" do
+    feature "allows unprivileged user to add and remove MFA method", %{
+      session: session
+    } do
+      user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session
+      |> visit(~p"/")
+      |> Auth.authenticate(user)
+      |> visit(~p"/user_devices")
+      |> assert_el(Query.text("Your Devices"))
+      |> click(Query.link("My Account"))
+      |> assert_el(Query.text("Account Settings"))
+      |> click(Query.link("Add MFA Method"))
+      |> mfa_create_flow()
+      |> remove_mfa_flow()
+    end
+
+    feature "allows admin user to add and remove MFA method", %{
+      session: session
+    } do
+      user = UsersFixtures.create_user_with_role(:admin)
+
+      session
+      |> visit(~p"/")
+      |> Auth.authenticate(user)
+      |> visit(~p"/users")
+      |> hover(Query.css(".is-user-name span"))
+      |> click(Query.link("Account Settings"))
+      |> assert_el(Query.text("Multi Factor Authentication"))
+      |> click(Query.link("Add MFA Method"))
+      |> mfa_create_flow()
+      |> remove_mfa_flow()
+    end
+
+    feature "MFA code is requested on unprivileged user login", %{session: session} do
+      password = "firezone1234"
+
+      user =
+        UsersFixtures.create_user_with_role(
+          [password: password, password_confirmation: password],
+          :unprivileged
+        )
+
+      secret = NimbleTOTP.secret()
+      verification_code = NimbleTOTP.verification_code(secret)
+
+      {:ok, method} =
+        FzHttp.MFA.create_method(
+          %{
+            name: "Test",
+            type: :totp,
+            secret: Base.encode64(secret),
+            code: verification_code
+          },
+          user.id
+        )
+
+      # Newly created method has a very recent last_used_at timestamp,
+      # It being used in NimbleTOTP.valid?(code, since: last_used_at) always
+      # fails. Need to set it to be something in the past (more than 30s in the past).
+      {:ok, _method} = FzHttp.MFA.update_method(method, %{last_used_at: ~U[1970-01-01T00:00:00Z]})
+
+      session
+      |> password_login_flow(user.email, password)
+      |> mfa_login_flow(verification_code)
+      |> assert_el(Query.text("Your Devices"))
+      |> assert_path("/user_devices")
+      |> Auth.assert_authenticated(user)
+    end
+
+    feature "MFA code is requested on admin user login", %{session: session} do
+      password = "firezone1234"
+
+      user =
+        UsersFixtures.create_user_with_role(
+          [password: password, password_confirmation: password],
+          :admin
+        )
+
+      secret = NimbleTOTP.secret()
+      verification_code = NimbleTOTP.verification_code(secret)
+
+      {:ok, method} =
+        FzHttp.MFA.create_method(
+          %{
+            name: "Test",
+            type: :totp,
+            secret: Base.encode64(secret),
+            code: verification_code
+          },
+          user.id
+        )
+
+      # Newly created method has a very recent last_used_at timestamp,
+      # It being used in NimbleTOTP.valid?(code, since: last_used_at) always
+      # fails. Need to set it to be something in the past (more than 30s in the past).
+      {:ok, _method} = FzHttp.MFA.update_method(method, %{last_used_at: ~U[1970-01-01T00:00:00Z]})
+
+      session
+      |> password_login_flow(user.email, password)
+      |> mfa_login_flow(verification_code)
+      |> assert_el(Query.css(".is-user-name"))
+      |> assert_path("/users")
+      |> Auth.assert_authenticated(user)
+    end
+
+    feature "user can sign out during MFA flow", %{session: session} do
+      password = "firezone1234"
+
+      user =
+        UsersFixtures.create_user_with_role(
+          [password: password, password_confirmation: password],
+          :admin
+        )
+
+      secret = NimbleTOTP.secret()
+      verification_code = NimbleTOTP.verification_code(secret)
+
+      {:ok, method} =
+        FzHttp.MFA.create_method(
+          %{
+            name: "Test",
+            type: :totp,
+            secret: Base.encode64(secret),
+            code: verification_code
+          },
+          user.id
+        )
+
+      # Newly created method has a very recent last_used_at timestamp,
+      # It being used in NimbleTOTP.valid?(code, since: last_used_at) always
+      # fails. Need to set it to be something in the past (more than 30s in the past).
+      {:ok, _method} = FzHttp.MFA.update_method(method, %{last_used_at: ~U[1970-01-01T00:00:00Z]})
+
+      session
+      |> password_login_flow(user.email, password)
+      |> assert_el(Query.text("Multi-factor Authentication"))
+      |> click(Query.css("[data-to=\"/sign_out\"]"))
+      |> assert_el(Query.text("Sign In"))
+      |> Auth.assert_unauthenticated()
+      |> assert_path("/")
+    end
+
+    feature "user can see other methods during MFA flow", %{session: session} do
+      password = "firezone1234"
+
+      user =
+        UsersFixtures.create_user_with_role(
+          [password: password, password_confirmation: password],
+          :admin
+        )
+
+      secret = NimbleTOTP.secret()
+      verification_code = NimbleTOTP.verification_code(secret)
+
+      {:ok, method} =
+        FzHttp.MFA.create_method(
+          %{
+            name: "Test",
+            type: :totp,
+            secret: Base.encode64(secret),
+            code: verification_code
+          },
+          user.id
+        )
+
+      # Newly created method has a very recent last_used_at timestamp,
+      # It being used in NimbleTOTP.valid?(code, since: last_used_at) always
+      # fails. Need to set it to be something in the past (more than 30s in the past).
+      {:ok, _method} = FzHttp.MFA.update_method(method, %{last_used_at: ~U[1970-01-01T00:00:00Z]})
+
+      session
+      |> password_login_flow(user.email, password)
+      |> assert_el(Query.text("Multi-factor Authentication"))
+      |> click(Query.css("[href=\"/mfa/types\"]"))
+      |> assert_el(Query.css("[href=\"/mfa/auth/#{method.id}\"]"))
+    end
+  end
+
+  describe "sign out" do
+    feature "signs out unprivileged user", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session
+      |> visit(~p"/")
+      |> Auth.authenticate(user)
+      |> visit(~p"/user_devices")
+      |> click(Query.link("Sign out"))
+      |> assert_el(Query.text("Sign In"))
+      |> Auth.assert_unauthenticated()
+      |> assert_path("/")
+    end
+
+    feature "signs out admin user", %{session: session} do
+      user = UsersFixtures.create_user_with_role(:admin)
+
+      session
+      |> visit(~p"/")
+      |> Auth.authenticate(user)
+      |> visit(~p"/users")
+      |> hover(Query.css(".is-user-name span"))
+      |> click(Query.link("Log Out"))
+      |> assert_el(Query.text("Sign In"))
+      |> Auth.assert_unauthenticated()
+      |> assert_path("/")
+    end
+  end
+
+  defp assert_error_flash(session, text) do
+    assert_text(session, Query.css(".flash-error"), text)
+    session
+  end
+
+  defp password_login_flow(session, email, password) do
+    session
+    |> visit(~p"/")
+    |> click(Query.link("Sign in with email"))
+    |> fill_form(%{
+      "Email" => email,
+      "Password" => password
+    })
+    |> click(Query.button("Sign In"))
+  end
+
+  defp mfa_login_flow(session, verification_code) do
+    session
+    |> assert_el(Query.text("Multi-factor Authentication"))
+    |> fill_form(%{"code" => "111111"})
+    |> click(Query.button("Verify"))
+    |> assert_el(Query.text("is not valid"))
+    |> fill_form(%{"code" => verification_code})
+    |> click(Query.button("Verify"))
+  end
+
+  defp mfa_create_flow(session) do
+    assert selected?(session, Query.radio_button("mfa-method-totp"))
+
+    session =
+      session
+      |> click(Query.button("Next"))
+      |> assert_el(Query.text("Register Authenticator"))
+      |> fill_in(Query.fillable_field("name"), with: "My MFA Name")
+
+    secret =
+      Browser.text(session, Query.css("#copy-totp-key"))
+      |> String.replace(" ", "")
+      |> Base.decode32!()
+
+    session =
+      session
+      |> click(Query.button("Next"))
+      |> assert_el(Query.text("Verify Code"))
+      |> fill_in(Query.fillable_field("code"), with: "123456")
+      |> click(Query.button("Next"))
+      |> assert_el(Query.css("input.is-danger"))
+      |> fill_in(Query.fillable_field("code"), with: NimbleTOTP.verification_code(secret))
+      |> click(Query.button("Next"))
+      |> assert_el(Query.text("Confirm to save this Authentication method."))
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("MFA method added!"))
+
+    assert mfa_method = Repo.one(FzHttp.MFA.Method)
+    assert mfa_method.name == "My MFA Name"
+    assert mfa_method.payload["secret"] == Base.encode64(secret)
+
+    session
+  end
+
+  defp remove_mfa_flow(session) do
+    session =
+      session
+      |> assert_el(Query.text("Multi Factor Authentication"))
+
+    accept_confirm(session, fn session ->
+      click(session, Query.css("[phx-click=\"delete_authenticator\"]"))
+    end)
+
+    session
+    |> assert_el(Query.text("No MFA methods added."))
+  end
+end
diff --git a/apps/fz_http/test/fz_http_web/acceptance/unprivileged_user_test.exs b/apps/fz_http/test/fz_http_web/acceptance/unprivileged_user_test.exs
new file mode 100644
index 000000000..42278ce40
--- /dev/null
+++ b/apps/fz_http/test/fz_http_web/acceptance/unprivileged_user_test.exs
@@ -0,0 +1,166 @@
+defmodule FzHttpWeb.Acceptance.UnprivilegedUserTest do
+  use FzHttpWeb.AcceptanceCase, async: true
+  alias FzHttp.{UsersFixtures, DevicesFixtures}
+
+  describe "device management" do
+    setup tags do
+      user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session =
+        tags.session
+        |> visit(~p"/")
+        |> Auth.authenticate(user)
+
+      tags
+      |> Map.put(:session, session)
+      |> Map.put(:user, user)
+    end
+
+    feature "allows user to add and configure a device", %{
+      session: session
+    } do
+      FzHttp.Configurations.put!(:allow_unprivileged_device_configuration, true)
+
+      session
+      |> visit(~p"/user_devices")
+      |> assert_el(Query.text("Your Devices"))
+      |> click(Query.link("Add Device"))
+      |> assert_el(Query.button("Generate Configuration"))
+      |> set_value(Query.css("#create-device_use_default_allowed_ips_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_dns_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_endpoint_false"), :selected)
+      |> set_value(Query.css("#create-device_use_default_mtu_false"), :selected)
+      |> set_value(
+        Query.css("#create-device_use_default_persistent_keepalive_false"),
+        :selected
+      )
+      |> fill_form(%{
+        "device[allowed_ips]" => "127.0.0.1",
+        "device[name]" => "big-head-007",
+        "device[description]" => "Dummy description",
+        "device[dns]" => "1.1.1.1,2.2.2.2",
+        "device[endpoint]" => "example.com:51820",
+        "device[mtu]" => "1400",
+        "device[persistent_keepalive]" => "10",
+        "device[ipv4]" => "10.10.11.1",
+        "device[ipv6]" => "fd00::1e:3f96"
+      })
+      |> fill_in(Query.fillable_field("device[description]"), with: "Dummy description")
+      |> click(Query.button("Generate Configuration"))
+      |> assert_el(Query.text("Device added!"))
+      |> click(Query.css("button[phx-click=\"close\"]"))
+      |> assert_el(Query.text("big-head-007"))
+
+      assert device = Repo.one(FzHttp.Devices.Device)
+      assert device.name == "big-head-007"
+      assert device.description == "Dummy description"
+      assert device.allowed_ips == "127.0.0.1"
+      assert device.dns == "1.1.1.1,2.2.2.2"
+      assert device.endpoint == "example.com:51820"
+      assert device.mtu == 1400
+      assert device.persistent_keepalive == 10
+      assert device.ipv4 == %Postgrex.INET{address: {10, 10, 11, 1}}
+      assert device.ipv6 == %Postgrex.INET{address: {64_768, 0, 0, 0, 0, 0, 30, 16_278}}
+    end
+
+    feature "allows user to add a device", %{
+      session: session
+    } do
+      FzHttp.Configurations.put!(:allow_unprivileged_device_configuration, false)
+
+      session
+      |> visit(~p"/user_devices")
+      |> assert_el(Query.text("Your Devices"))
+      |> click(Query.link("Add Device"))
+      |> assert_el(Query.button("Generate Configuration"))
+      |> fill_form(%{
+        "device[name]" => "big-hand-007",
+        "device[description]" => "Dummy description"
+      })
+      |> fill_in(Query.fillable_field("device[description]"), with: "Dummy description")
+      |> click(Query.button("Generate Configuration"))
+      |> assert_el(Query.text("Device added!"))
+      |> click(Query.css("button[phx-click=\"close\"]"))
+      |> assert_el(Query.text("big-hand-007"))
+
+      assert device = Repo.one(FzHttp.Devices.Device)
+      assert device.name == "big-hand-007"
+      assert device.description == "Dummy description"
+    end
+
+    feature "does not allow adding devices", %{session: session} do
+      FzHttp.Configurations.put!(:allow_unprivileged_device_management, false)
+
+      session
+      |> visit(~p"/user_devices")
+      |> assert_el(Query.text("Your Devices"))
+      |> refute_has(Query.link("Add Device"))
+    end
+
+    feature "allows user to delete a device", %{
+      session: session,
+      user: user
+    } do
+      device = DevicesFixtures.create_device_for_user(user)
+
+      session =
+        session
+        |> visit(~p"/user_devices")
+        |> assert_el(Query.text("Your Devices"))
+        |> assert_el(Query.text(device.public_key))
+        |> click(Query.link(device.name))
+        |> assert_el(Query.text(device.description))
+
+      accept_confirm(session, fn session ->
+        click(session, Query.button("Delete Device #{device.name}"))
+      end)
+
+      assert_el(session, Query.text("No devices to show."))
+
+      assert Repo.one(FzHttp.Devices.Device) == nil
+    end
+  end
+
+  describe "profile" do
+    setup tags do
+      user = UsersFixtures.create_user_with_role(:unprivileged)
+
+      session =
+        tags.session
+        |> visit(~p"/")
+        |> Auth.authenticate(user)
+
+      tags
+      |> Map.put(:session, session)
+      |> Map.put(:user, user)
+    end
+
+    feature "allows to change password", %{
+      session: session,
+      user: user
+    } do
+      session
+      |> visit(~p"/user_devices")
+      |> assert_el(Query.text("Your Devices"))
+      |> click(Query.link("My Account"))
+      |> assert_el(Query.text("Account Settings"))
+      |> click(Query.link("Change Password"))
+      |> assert_el(Query.text("Enter new password below."))
+      |> fill_form(%{
+        "user[password]" => "foo",
+        "user[password_confirmation]" => ""
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("should be at least 12 character(s)"))
+      |> assert_el(Query.text("does not match confirmation"))
+      |> fill_form(%{
+        "user[password]" => "new_password",
+        "user[password_confirmation]" => "new_password"
+      })
+      |> click(Query.button("Save"))
+      |> assert_el(Query.text("Password updated successfully"))
+
+      assert Repo.one(FzHttp.Users.User).password_hash != user.password_hash
+    end
+  end
+end
diff --git a/apps/fz_http/test/fz_http_web/channels/notification_channel_test.exs b/apps/fz_http/test/fz_http_web/channels/notification_channel_test.exs
index 1461f9e32..57a7c395a 100644
--- a/apps/fz_http/test/fz_http_web/channels/notification_channel_test.exs
+++ b/apps/fz_http/test/fz_http_web/channels/notification_channel_test.exs
@@ -10,7 +10,7 @@ defmodule FzHttpWeb.NotificationChannelTest do
 
       socket =
         FzHttpWeb.UserSocket
-        |> socket(user.id, %{remote_ip: "127.0.0.1"})
+        |> socket(user.id, %{remote_ip: "127.0.0.1", user_agent: "test", current_user_id: user.id})
 
       %{
         user: user,
@@ -19,28 +19,12 @@ defmodule FzHttpWeb.NotificationChannelTest do
       }
     end
 
-    test "joins channel with valid token", %{token: token, socket: socket, user: user} do
-      payload = %{
-        "token" => token,
-        "user_agent" => "test"
-      }
-
+    test "joins channel ", %{socket: socket, user: user} do
       {:ok, _, test_socket} =
         socket
-        |> subscribe_and_join(NotificationChannel, "notification:session", payload)
+        |> subscribe_and_join(NotificationChannel, "notification:session", %{})
 
       assert test_socket.assigns.current_user.id == user.id
     end
-
-    test "prevents joining with invalid token", %{token: _token, socket: socket, user: _user} do
-      payload = %{
-        "token" => "foobar",
-        "user_agent" => "test"
-      }
-
-      assert {:error, %{reason: "unauthorized"}} ==
-               socket
-               |> subscribe_and_join(NotificationChannel, "notification:session", payload)
-    end
   end
 end
diff --git a/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs b/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs
index 5e7c0144e..72c30bf44 100644
--- a/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs
+++ b/apps/fz_http/test/fz_http_web/controllers/auth_controller_test.exs
@@ -1,27 +1,32 @@
 defmodule FzHttpWeb.AuthControllerTest do
   use FzHttpWeb.ConnCase, async: true
-  import Mox
+  alias FzHttp.ConfigurationsFixtures
+  alias FzHttp.Repo
 
   setup do
-    FzHttp.Configurations.put!(
-      :openid_connect_providers,
-      FzHttp.ConfigurationsFixtures.openid_connect_providers_attrs()
-    )
+    {bypass, _openid_connect_providers_attrs} =
+      ConfigurationsFixtures.start_openid_providers([
+        "google",
+        "okta",
+        "auth0",
+        "azure",
+        "onelogin",
+        "keycloak",
+        "vault"
+      ])
 
     FzHttp.Configurations.put!(
       :saml_identity_providers,
       [FzHttp.SAMLIdentityProviderFixtures.saml_attrs() |> Map.put("label", "SAML")]
     )
 
-    %{}
+    %{bypass: bypass}
   end
 
   describe "new" do
     setup [:create_user]
 
     test "unauthed: loads the sign in form", %{unauthed_conn: conn} do
-      expect(OpenIDConnect.Mock, :authorization_uri, fn _, _ -> "https://auth.url" end)
-
       test_conn = get(conn, ~p"/")
 
       # Assert that we have email, OIDC and Oauth2 buttons provided
@@ -71,7 +76,7 @@ defmodule FzHttpWeb.AuthControllerTest do
       assert test_conn.request_path == ~p"/auth/identity/callback"
 
       assert Phoenix.Flash.get(test_conn.assigns.flash, :error) ==
-               "Error signing in: invalid_credentials"
+               "Error signing in: user credentials are invalid or user does not exist"
     end
 
     test "invalid password", %{unauthed_conn: conn, user: user} do
@@ -85,7 +90,7 @@ defmodule FzHttpWeb.AuthControllerTest do
       assert test_conn.request_path == ~p"/auth/identity/callback"
 
       assert Phoenix.Flash.get(test_conn.assigns.flash, :error) ==
-               "Error signing in: invalid_credentials"
+               "Error signing in: user credentials are invalid or user does not exist"
     end
 
     test "valid params", %{unauthed_conn: conn, user: user} do
@@ -138,31 +143,46 @@ defmodule FzHttpWeb.AuthControllerTest do
       {:ok, unauthed_conn: put_req_cookie(conn, "fz_oidc_state", signed_state)}
     end
 
-    test "when a user returns with a valid claim", %{unauthed_conn: conn, user: user} do
-      expect(OpenIDConnect.Mock, :fetch_tokens, fn _, _ -> {:ok, %{"id_token" => "abc"}} end)
+    test "when a user returns with a valid claim", %{
+      unauthed_conn: conn,
+      user: user,
+      bypass: bypass
+    } do
+      jwk = ConfigurationsFixtures.jwks_attrs()
 
-      expect(OpenIDConnect.Mock, :verify, fn _, _ ->
-        {:ok, %{"email" => user.email, "sub" => "12345"}}
-      end)
+      claims = %{"email" => user.email, "sub" => user.id}
+
+      {_alg, token} =
+        jwk
+        |> JOSE.JWK.from()
+        |> JOSE.JWS.sign(Jason.encode!(claims), %{"alg" => "RS256"})
+        |> JOSE.JWS.compact()
+
+      ConfigurationsFixtures.expect_refresh_token(bypass, %{"id_token" => token})
 
       test_conn = get(conn, ~p"/auth/oidc/google/callback", @params)
       assert redirected_to(test_conn) == ~p"/users"
-      assert get_session(test_conn, "id_token") == "abc"
+
+      assert get_session(test_conn, "id_token")
     end
 
-    @moduletag :capture_log
+    test "when a user returns with an invalid claim", %{unauthed_conn: conn, bypass: bypass} do
+      jwk = ConfigurationsFixtures.jwks_attrs()
 
-    test "when a user returns with an invalid claim", %{unauthed_conn: conn} do
-      expect(OpenIDConnect.Mock, :fetch_tokens, fn _, _ -> {:ok, %{}} end)
+      claims = %{"email" => "foo@example.com", "sub" => Ecto.UUID.generate()}
 
-      expect(OpenIDConnect.Mock, :verify, fn _, _ ->
-        {:error, "Invalid token for user!"}
-      end)
+      {_alg, token} =
+        jwk
+        |> JOSE.JWK.from()
+        |> JOSE.JWS.sign(Jason.encode!(claims), %{"alg" => "RS256"})
+        |> JOSE.JWS.compact()
+
+      ConfigurationsFixtures.expect_refresh_token(bypass, %{"id_token" => token})
 
       test_conn = get(conn, ~p"/auth/oidc/google/callback", @params)
 
       assert Phoenix.Flash.get(test_conn.assigns.flash, :error) ==
-               "OpenIDConnect Error: Invalid token for user!"
+               "Error signing in: user not found and auto_create_users disabled"
     end
 
     test "when a user returns with an invalid state", %{unauthed_conn: conn} do
@@ -203,25 +223,43 @@ defmodule FzHttpWeb.AuthControllerTest do
     setup :create_user
 
     test "redirects to root path", %{unauthed_conn: conn, user: user} do
+      refute user.sign_in_token
+
       test_conn = post(conn, ~p"/auth/magic_link", %{"email" => user.email})
 
       assert redirected_to(test_conn) == ~p"/"
 
       assert Phoenix.Flash.get(test_conn.assigns.flash, :info) ==
                "Please check your inbox for the magic link."
+
+      user = Repo.get(FzHttp.Users.User, user.id)
+      assert user.sign_in_token_hash
+
+      assert_receive {:email, email}
+
+      assert email.subject == "Firezone Magic Link"
+      assert email.to == [{"", user.email}]
+      assert email.text_body =~ "/auth/magic/#{user.id}/"
+
+      token = String.split(email.assigns.link, "/") |> List.last()
+
+      assert {:ok, _user} = FzHttp.Users.consume_sign_in_token(user, token)
     end
   end
 
   describe "when using magic link" do
     setup :create_user
 
-    alias FzHttp.Repo
+    setup context do
+      {:ok, user} = FzHttp.Users.request_sign_in_token(context.user)
+      Map.put(context, :user, user)
+    end
 
     test "user sign_in_token is cleared", %{unauthed_conn: conn, user: user} do
       assert not is_nil(user.sign_in_token)
       assert not is_nil(user.sign_in_token_created_at)
 
-      get(conn, ~p"/auth/magic/#{user.sign_in_token}")
+      get(conn, ~p"/auth/magic/#{user.id}/#{user.sign_in_token}")
 
       user = Repo.reload!(user)
 
@@ -230,7 +268,7 @@ defmodule FzHttpWeb.AuthControllerTest do
     end
 
     test "user last signed in with magic_link provider", %{unauthed_conn: conn, user: user} do
-      get(conn, ~p"/auth/magic/#{user.sign_in_token}")
+      get(conn, ~p"/auth/magic/#{user.id}/#{user.sign_in_token}")
 
       user = Repo.reload!(user)
 
@@ -238,7 +276,7 @@ defmodule FzHttpWeb.AuthControllerTest do
     end
 
     test "user is signed in", %{unauthed_conn: conn, user: user} do
-      test_conn = get(conn, ~p"/auth/magic/#{user.sign_in_token}")
+      test_conn = get(conn, ~p"/auth/magic/#{user.id}/#{user.sign_in_token}")
 
       assert current_user(test_conn).id == user.id
     end
@@ -246,49 +284,37 @@ defmodule FzHttpWeb.AuthControllerTest do
     test "prevents signing in when local_auth_disabled", %{unauthed_conn: conn, user: user} do
       FzHttp.Configurations.put!(:local_auth_enabled, false)
 
-      test_conn = get(conn, ~p"/auth/magic/#{user.sign_in_token}")
+      test_conn = get(conn, ~p"/auth/magic/#{user.id}/#{user.sign_in_token}")
       assert text_response(test_conn, 401) == "Local auth disabled"
     end
   end
 
   describe "oidc signout url" do
-    @oidc_end_session_uri "https://end-session.url"
-    @params %{
-      "id_token_hint" => "abc",
-      "post_logout_redirect_uri" => "https://localhost",
-      "client_id" => "okta-client-id"
-    }
-
     @tag session: [login_method: "okta", id_token: "abc"]
     test "redirects to oidc end_session_uri", %{admin_conn: conn} do
-      # mimics OpenID Connect
-      query = URI.encode_query(@params)
+      query =
+        URI.encode_query(%{
+          "id_token_hint" => "abc",
+          "post_logout_redirect_uri" => "http://localhost:4002/",
+          "client_id" => "okta-client-id"
+        })
 
       complete_uri =
-        @oidc_end_session_uri
+        "https://example.com"
         |> URI.merge("?#{query}")
         |> URI.to_string()
 
-      expect(OpenIDConnect.Mock, :end_session_uri, fn _provider, _params -> complete_uri end)
-
       test_conn = delete(conn, ~p"/sign_out")
       assert redirected_to(test_conn) == complete_uri
     end
   end
 
   describe "oidc signin url" do
-    @oidc_auth_uri "https://auth.url"
-
-    test "redirects to oidc auth uri", %{unauthed_conn: conn} do
-      expect(OpenIDConnect.Mock, :authorization_uri, fn provider, _ ->
-        case provider do
-          "google" -> @oidc_auth_uri
-        end
-      end)
-
+    test "redirects to oidc auth uri", %{unauthed_conn: conn, bypass: bypass} do
       test_conn = get(conn, ~p"/auth/oidc/google")
 
-      assert redirected_to(test_conn) == @oidc_auth_uri
+      bypass_url = "http://localhost:#{bypass.port}/authorize"
+      assert String.starts_with?(redirected_to(test_conn), bypass_url)
     end
   end
 end
diff --git a/apps/fz_http/test/fz_http_web/controllers/json/user_controller_test.exs b/apps/fz_http/test/fz_http_web/controllers/json/user_controller_test.exs
index bf17c2a78..be77073c7 100644
--- a/apps/fz_http/test/fz_http_web/controllers/json/user_controller_test.exs
+++ b/apps/fz_http/test/fz_http_web/controllers/json/user_controller_test.exs
@@ -99,10 +99,8 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
         |> doc(example_description: "Error due to invalid parameters")
 
       assert json_response(conn, 422)["errors"] == %{
-               "password" => [
-                 "should be at least 12 character(s)",
-                 "does not match password confirmation."
-               ]
+               "password" => ["should be at least 12 character(s)"],
+               "password_confirmation" => ["can't be blank"]
              }
     end
 
@@ -139,7 +137,7 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
       params = %{"password" => "update-password", "password_confirmation" => "update-password"}
       conn = put(authed_conn(), ~p"/v0/users/#{user}", user: params)
 
-      assert Users.get_user!(json_response(conn, 200)["data"]["id"]).password_hash !=
+      assert Users.fetch_user_by_id!(json_response(conn, 200)["data"]["id"]).password_hash !=
                old_hash
     end
 
@@ -163,7 +161,7 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
       params = %{"password" => "update-password", "password_confirmation" => "update-password"}
       conn = put(authed_conn(), ~p"/v0/users/#{user}", user: params)
 
-      assert Users.get_user!(json_response(conn, 200)["data"]["id"]).password_hash !=
+      assert Users.fetch_user_by_id!(json_response(conn, 200)["data"]["id"]).password_hash !=
                old_hash
     end
 
@@ -207,14 +205,14 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
       conn = put(conn, ~p"/v0/users/#{user}", user: @invalid_attrs)
 
       assert json_response(conn, 422)["errors"] == %{
-               "password" => ["should be at least 12 character(s)"]
+               "password" => ["should be at least 12 character(s)"],
+               "password_confirmation" => ["can't be blank"]
              }
     end
 
     test "renders 404 for user not found" do
-      assert_error_sent(404, fn ->
-        put(authed_conn(), ~p"/v0/users/003da73d-2dd9-4492-8136-3282843545e8", user: %{})
-      end)
+      conn = put(authed_conn(), ~p"/v0/users/#{Ecto.UUID.generate()}", user: %{})
+      assert json_response(conn, 404) == %{"error" => "not_found"}
     end
 
     test "renders 401 for missing authorization header" do
@@ -245,9 +243,8 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
     end
 
     test "renders 404 for user not found" do
-      assert_error_sent(404, fn ->
-        get(authed_conn(), ~p"/v0/users/003da73d-2dd9-4492-8136-3282843545e8")
-      end)
+      conn = get(authed_conn(), ~p"/v0/users/003da73d-2dd9-4492-8136-3282843545e8")
+      assert json_response(conn, 404) == %{"error" => "not_found"}
     end
 
     test "renders 401 for missing authorization header" do
@@ -266,9 +263,8 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
 
       assert response(conn, 204)
 
-      assert_error_sent(404, fn ->
-        get(conn, ~p"/v0/users/#{user}")
-      end)
+      conn = get(conn, ~p"/v0/users/#{user}")
+      assert json_response(conn, 404) == %{"error" => "not_found"}
     end
 
     test "deletes user by email" do
@@ -280,15 +276,13 @@ defmodule FzHttpWeb.JSON.UserControllerTest do
 
       assert response(conn, 204)
 
-      assert_error_sent(404, fn ->
-        get(conn, ~p"/v0/users/#{user}")
-      end)
+      conn = get(conn, ~p"/v0/users/#{user}")
+      assert json_response(conn, 404) == %{"error" => "not_found"}
     end
 
     test "renders 404 for user not found" do
-      assert_error_sent(404, fn ->
-        delete(authed_conn(), ~p"/v0/users/003da73d-2dd9-4492-8136-3282843545e8")
-      end)
+      conn = delete(authed_conn(), ~p"/v0/users/003da73d-2dd9-4492-8136-3282843545e8")
+      assert json_response(conn, 404) == %{"error" => "not_found"}
     end
 
     test "renders 401 for missing authorization header" do
diff --git a/apps/fz_http/test/fz_http_web/controllers/user_controller_test.exs b/apps/fz_http/test/fz_http_web/controllers/user_controller_test.exs
index 1d2c0e4fb..615b949f4 100644
--- a/apps/fz_http/test/fz_http_web/controllers/user_controller_test.exs
+++ b/apps/fz_http/test/fz_http_web/controllers/user_controller_test.exs
@@ -33,7 +33,7 @@ defmodule FzHttpWeb.UserControllerTest do
 
     test "returns 404", %{admin_user: user, admin_conn: conn} do
       user.id
-      |> Users.get_user!()
+      |> Users.fetch_user_by_id!()
       |> Users.delete_user()
 
       assert_raise(Ecto.StaleEntryError, fn ->
diff --git a/apps/fz_http/test/fz_http_web/live/setting_live/account_test.exs b/apps/fz_http/test/fz_http_web/live/setting_live/account_test.exs
index fd6c68de5..0ceb9fde3 100644
--- a/apps/fz_http/test/fz_http_web/live/setting_live/account_test.exs
+++ b/apps/fz_http/test/fz_http_web/live/setting_live/account_test.exs
@@ -17,7 +17,7 @@ defmodule FzHttpWeb.SettingLive.AccountTest do
       path = ~p"/settings/account"
       {:ok, _view, html} = live(conn, path)
 
-      user = Users.get_user!(user.id)
+      user = Users.fetch_user_by_id!(user.id)
 
       assert html =~ "Delete Your Account"
       assert html =~ user.email
@@ -25,7 +25,7 @@ defmodule FzHttpWeb.SettingLive.AccountTest do
   end
 
   describe "when live_action is edit" do
-    @valid_params %{"user" => %{"email" => "foobar@test", "current_password" => "password1234"}}
+    @valid_params %{"user" => %{"email" => "foobar@test"}}
     @invalid_params %{"user" => %{"email" => "foobar"}}
 
     test "loads the form" do
@@ -55,7 +55,6 @@ defmodule FzHttpWeb.SettingLive.AccountTest do
         |> render_submit(%{
           "user" => %{
             "email" => "",
-            "current_password" => "",
             "password" => "",
             "password_confirmation" => ""
           }
@@ -74,7 +73,7 @@ defmodule FzHttpWeb.SettingLive.AccountTest do
         |> element("#account-edit")
         |> render_submit(@invalid_params)
 
-      assert test_view =~ "has invalid format"
+      assert test_view =~ "is invalid email address"
     end
 
     test "closes modal", %{admin_conn: conn} do
diff --git a/apps/fz_http/test/fz_http_web/live/setting_live/security_test.exs b/apps/fz_http/test/fz_http_web/live/setting_live/security_test.exs
index 2c3adff81..27d4d59cb 100644
--- a/apps/fz_http/test/fz_http_web/live/setting_live/security_test.exs
+++ b/apps/fz_http/test/fz_http_web/live/setting_live/security_test.exs
@@ -106,7 +106,8 @@ defmodule FzHttpWeb.SettingLive.SecurityTest do
             "client_id" => "foo",
             "client_secret" => "bar",
             "discovery_document_uri" =>
-              "https://common.auth0.com/.well-known/openid-configuration"
+              "https://common.auth0.com/.well-known/openid-configuration",
+            "auto_create_users" => false
           }
         ],
         saml_identity_providers: []
@@ -159,7 +160,7 @@ defmodule FzHttpWeb.SettingLive.SecurityTest do
                  discovery_document_uri:
                    "https://common.auth0.com/.well-known/openid-configuration",
                  redirect_uri: nil,
-                 auto_create_users: true
+                 auto_create_users: false
                }
              ]
     end
@@ -229,9 +230,9 @@ defmodule FzHttpWeb.SettingLive.SecurityTest do
       assert length(saml_identity_providers) == 2
 
       assert %FzHttp.Configurations.Configuration.SAMLIdentityProvider{
-               auto_create_users: true,
+               auto_create_users: false,
                # XXX this field would be nil if we don't "guess" the url when we load the record in StartServer
-               base_url: "https://localhost/auth/saml",
+               base_url: "http://localhost:4002/auth/saml",
                id: "FAKEID",
                label: "FOO",
                metadata: attrs["metadata"],
diff --git a/apps/fz_http/test/fz_http_web/live/setting_live/unprivileged/account_test.exs b/apps/fz_http/test/fz_http_web/live/setting_live/unprivileged/account_test.exs
index b9fd202c5..f7c30b5ba 100644
--- a/apps/fz_http/test/fz_http_web/live/setting_live/unprivileged/account_test.exs
+++ b/apps/fz_http/test/fz_http_web/live/setting_live/unprivileged/account_test.exs
@@ -17,7 +17,7 @@ defmodule FzHttpWeb.SettingLive.Unprivileged.AccountTest do
       path = ~p"/user_account"
       {:ok, _view, html} = live(conn, path)
 
-      user = Users.get_user!(user.id)
+      user = Users.fetch_user_by_id!(user.id)
 
       assert html =~ user.email
     end
@@ -27,8 +27,7 @@ defmodule FzHttpWeb.SettingLive.Unprivileged.AccountTest do
     @valid_params %{
       "user" => %{
         "password" => "newpassword1234",
-        "password_confirmation" => "newpassword1234",
-        "current_password" => "password1234"
+        "password_confirmation" => "newpassword1234"
       }
     }
     @invalid_params %{"user" => %{"password" => "foobar"}}
@@ -50,7 +49,7 @@ defmodule FzHttpWeb.SettingLive.Unprivileged.AccountTest do
       assert flash["info"] == "Password updated successfully."
     end
 
-    test "doesn't allow empty password", %{unprivileged_conn: conn} do
+    test "doesn't allow invalid password", %{unprivileged_conn: conn} do
       path = ~p"/user_account/change_password"
       {:ok, view, _html} = live(conn, path)
 
@@ -60,7 +59,7 @@ defmodule FzHttpWeb.SettingLive.Unprivileged.AccountTest do
         |> render_submit(@invalid_params)
 
       refute_redirected(view, ~p"/user_account")
-      assert test_view =~ "can&#39;t be blank"
+      assert test_view =~ "should be at least 12 character(s)"
     end
 
     test "closes modal", %{unprivileged_conn: conn} do
diff --git a/apps/fz_http/test/fz_http_web/live/user_live/index_test.exs b/apps/fz_http/test/fz_http_web/live/user_live/index_test.exs
index 8f0372eab..5ffd05e33 100644
--- a/apps/fz_http/test/fz_http_web/live/user_live/index_test.exs
+++ b/apps/fz_http/test/fz_http_web/live/user_live/index_test.exs
@@ -27,7 +27,7 @@ defmodule FzHttpWeb.UserLive.IndexTest do
       path = ~p"/users"
       {:ok, _view, html} = live(conn, path)
 
-      for user <- Users.list_users(:with_device_counts) do
+      for user <- Users.list_users(hydrate: [:device_count]) do
         assert html =~ "<td id=\"user-#{user.id}-device-count\">#{user.device_count}</td>"
       end
     end
@@ -84,7 +84,7 @@ defmodule FzHttpWeb.UserLive.IndexTest do
 
       {new_path, flash} = assert_redirect(view)
       assert flash["info"] == "User created successfully."
-      user = Users.get_user!(email: @valid_user_attrs["user"]["email"])
+      assert {:ok, user} = Users.fetch_user_by_email(@valid_user_attrs["user"]["email"])
       assert new_path == ~p"/users/#{user}"
     end
 
@@ -97,7 +97,7 @@ defmodule FzHttpWeb.UserLive.IndexTest do
         |> element("form#user-form")
         |> render_submit(@invalid_user_attrs)
 
-      assert new_view =~ "has invalid format"
+      assert new_view =~ "is invalid email address"
       assert new_view =~ "should be at least 12 character(s)"
     end
   end
diff --git a/apps/fz_http/test/fz_http_web/live/user_live/show_test.exs b/apps/fz_http/test/fz_http_web/live/user_live/show_test.exs
index 1a57faf55..57901e191 100644
--- a/apps/fz_http/test/fz_http_web/live/user_live/show_test.exs
+++ b/apps/fz_http/test/fz_http_web/live/user_live/show_test.exs
@@ -607,7 +607,7 @@ defmodule FzHttpWeb.UserLive.ShowTest do
         |> element("form#user-form")
         |> render_submit(@invalid_attrs)
 
-      assert test_view =~ "has invalid format"
+      assert test_view =~ "is invalid email address"
       assert test_view =~ "should be at least 12 character(s)"
     end
   end
diff --git a/apps/fz_http/test/fz_http_web/mailer_test/auth_email_test.exs b/apps/fz_http/test/fz_http_web/mailer_test/auth_email_test.exs
deleted file mode 100644
index 777f4cc4e..000000000
--- a/apps/fz_http/test/fz_http_web/mailer_test/auth_email_test.exs
+++ /dev/null
@@ -1,28 +0,0 @@
-defmodule FzHttpWeb.AuthEmailTest do
-  use FzHttpWeb.MailerCase, async: true
-
-  alias FzHttp.Users
-
-  describe "reset_sign_in_token/1" do
-    setup :create_user
-
-    import Swoosh.TestAssertions
-
-    test "when email exists sends a magic link", %{user: user} do
-      Users.reset_sign_in_token(user.email)
-
-      user = Users.get_user!(user.id)
-
-      assert_email_sent(
-        subject: "Firezone Magic Link",
-        to: [{"", user.email}],
-        text_body: ~r(#{url(~p"/auth/magic/#{user.sign_in_token}")})
-      )
-    end
-
-    test "when email does not exist logs the attempt" do
-      Users.reset_sign_in_token("foobar@example.com")
-      refute_email_sent()
-    end
-  end
-end
diff --git a/apps/fz_http/test/fz_http_web/user_from_auth_test.exs b/apps/fz_http/test/fz_http_web/user_from_auth_test.exs
index 8e2e2ce01..01f203b29 100644
--- a/apps/fz_http/test/fz_http_web/user_from_auth_test.exs
+++ b/apps/fz_http/test/fz_http_web/user_from_auth_test.exs
@@ -26,16 +26,12 @@ defmodule FzHttpWeb.UserFromAuthTest do
 
   describe "find_or_create/2 via OIDC with auto create enabled" do
     test "sign in creates user", %{email: email} do
-      openid_connect_provider =
-        List.first(FzHttp.ConfigurationsFixtures.openid_connect_providers_attrs())
-
-      FzHttp.Configurations.put!(
-        :openid_connect_providers,
-        [openid_connect_provider]
-      )
+      FzHttp.ConfigurationsFixtures.start_openid_providers(["google"], %{
+        "auto_create_users" => true
+      })
 
       assert {:ok, result} =
-               UserFromAuth.find_or_create(openid_connect_provider["id"], %{
+               UserFromAuth.find_or_create("google", %{
                  "email" => email,
                  "sub" => :noop
                })
@@ -46,22 +42,24 @@ defmodule FzHttpWeb.UserFromAuthTest do
 
   describe "find_or_create/2 via OIDC with auto create disabled" do
     test "sign in returns error", %{email: email} do
-      openid_connect_provider =
-        List.first(FzHttp.ConfigurationsFixtures.openid_connect_providers_attrs())
-        |> Map.put("auto_create_users", false)
+      {_bypass, [openid_connect_provider_attrs]} =
+        FzHttp.ConfigurationsFixtures.start_openid_providers(["google"])
+
+      openid_connect_provider_attrs =
+        Map.put(openid_connect_provider_attrs, "auto_create_users", false)
 
       FzHttp.Configurations.put!(
         :openid_connect_providers,
-        [openid_connect_provider]
+        [openid_connect_provider_attrs]
       )
 
       assert {:error, "user not found and auto_create_users disabled"} =
-               UserFromAuth.find_or_create(openid_connect_provider["id"], %{
+               UserFromAuth.find_or_create(openid_connect_provider_attrs["id"], %{
                  "email" => email,
                  "sub" => :noop
                })
 
-      assert Users.get_by_email(email) == nil
+      assert Users.fetch_user_by_email(email) == {:error, :not_found}
     end
   end
 
@@ -87,7 +85,7 @@ defmodule FzHttpWeb.UserFromAuthTest do
       assert {:error, "user not found and auto_create_users disabled"} =
                UserFromAuth.find_or_create(:saml, "test", %{"email" => email, "sub" => :noop})
 
-      assert Users.get_by_email(email) == nil
+      assert Users.fetch_user_by_email(email) == {:error, :not_found}
     end
   end
 end
diff --git a/apps/fz_http/test/support/acceptance_case.ex b/apps/fz_http/test/support/acceptance_case.ex
new file mode 100644
index 000000000..932f30a05
--- /dev/null
+++ b/apps/fz_http/test/support/acceptance_case.ex
@@ -0,0 +1,297 @@
+defmodule FzHttpWeb.AcceptanceCase do
+  use ExUnit.CaseTemplate
+  alias Wallaby.Query
+  import Wallaby.Browser
+
+  using do
+    quote do
+      # Import conveniences for testing with browser
+      use Wallaby.DSL
+      use FzHttpWeb, :verified_routes
+      import FzHttpWeb.AcceptanceCase
+      alias FzHttp.Repo
+      alias FzHttpWeb.AcceptanceCase.{Vault, Auth}
+
+      # The default endpoint for testing
+      @endpoint FzHttpWeb.Endpoint
+      @moduletag :acceptance
+      @moduletag timeout: 120_000
+
+      setup tags do
+        Application.put_env(:wallaby, :base_url, @endpoint.url)
+        tags
+      end
+    end
+  end
+
+  setup tags do
+    :ok = Ecto.Adapters.SQL.Sandbox.checkout(FzHttp.Repo)
+
+    unless tags[:async] do
+      Ecto.Adapters.SQL.Sandbox.mode(FzHttp.Repo, {:shared, self()})
+    end
+
+    headless? =
+      if tags[:debug] do
+        false
+      else
+        true
+      end
+
+    metadata = Phoenix.Ecto.SQL.Sandbox.metadata_for(FzHttp.Repo, self())
+    {:ok, session} = start_session(headless?, metadata)
+
+    user_agent =
+      Wallaby.Metadata.append(
+        "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36",
+        metadata
+      )
+
+    %{
+      timeout: if(tags[:debug] == true, do: :infinity, else: 120_000),
+      session: session,
+      debug?: tags[:debug] == true,
+      sql_sandbox_metadata: metadata,
+      user_agent: user_agent
+    }
+  end
+
+  defp start_session(headless?, metadata) do
+    capabilities =
+      [
+        metadata: metadata,
+        window_size: [width: 1280, height: 720]
+      ]
+      |> Wallaby.Chrome.default_capabilities()
+      |> update_in(
+        [:chromeOptions, :args],
+        fn args ->
+          args = args ++ ["--ignore-ssl-errors", "yes", "--ignore-certificate-errors"]
+
+          if headless? do
+            # defaults args already have --headless arg
+            args
+          else
+            args -- ["--headless"]
+          end
+        end
+      )
+
+    Wallaby.start_session(capabilities: capabilities)
+  end
+
+  def take_screenshot(name) do
+    time = :erlang.system_time(:second) |> to_string()
+    name = String.replace(name, " ", "_")
+
+    Wallaby.SessionStore.list_sessions_for(owner_pid: self())
+    |> Enum.with_index(1)
+    |> Enum.flat_map(fn {s, i} ->
+      filename = time <> "_" <> name <> "(#{i})"
+      take_screenshot(s, name: filename, log: true).screenshots
+    end)
+  end
+
+  def assert_el(session, query, started_at \\ nil)
+
+  def assert_el(session, %Query{} = query, started_at) do
+    now = :erlang.monotonic_time(:milli_seconds)
+    started_at = started_at || now
+
+    try do
+      case execute_query(session, query) do
+        {:ok, _query_result} ->
+          session
+
+        {:error, {:not_found, results}} ->
+          query = %Query{query | result: results}
+
+          raise Wallaby.ExpectationNotMetError,
+                Query.ErrorMessage.message(query, :not_found)
+
+        {:error, e} ->
+          raise Wallaby.QueryError,
+                Query.ErrorMessage.message(query, e)
+
+        error ->
+          raise Wallaby.ExpectationNotMetError,
+                "Wallaby has encountered an internal error: #{inspect(error)} with session: #{inspect(session)}"
+      end
+
+      assert_has(session, query)
+    rescue
+      e in [
+        Wallaby.ExpectationNotMetError,
+        Wallaby.StaleReferenceError,
+        Wallaby.QueryError
+      ] ->
+        time_spent = now - started_at
+        max_wait_seconds = fetch_max_wait_seconds!()
+
+        if time_spent > :timer.seconds(max_wait_seconds) do
+          reraise(e, __STACKTRACE__)
+        else
+          floor(time_spent / 10)
+          |> max(100)
+          |> :timer.sleep()
+
+          assert_el(session, query, started_at)
+        end
+    end
+  end
+
+  defp fetch_max_wait_seconds! do
+    if env = System.get_env("E2E_MAX_WAIT_SECONDS") do
+      String.to_integer(env)
+    else
+      2
+    end
+  end
+
+  def fill_form(session, %{} = fields) do
+    # Wait for form to be rendered
+    {form_el, _opts} = Enum.at(fields, 0)
+    session = assert_el(session, Query.fillable_field(form_el))
+
+    # Make sure test covers all form fields
+    element_names =
+      session
+      |> find(Query.css(".input,.textarea", visible: true, count: :any))
+      |> Enum.map(&Wallaby.Element.attr(&1, "name"))
+
+    unless Enum.count(fields) == length(element_names) do
+      flunk(
+        "Expected #{Enum.count(fields)} elements, " <>
+          "got #{length(element_names)}: #{inspect(element_names)}"
+      )
+    end
+
+    Enum.reduce(fields, session, fn {field, value}, session ->
+      fill_in(session, Query.fillable_field(field), with: value)
+    end)
+  end
+
+  def toggle(session, selector) do
+    selector = ~s|document.querySelector("input[name=\\\"#{selector}\\\"]").click()|
+
+    # For some reason Wallaby can't click on checkboxes,
+    # probably because they have absolute positioning
+    session = execute_script(session, selector)
+
+    # If we don't sleep animations won't be finished on form submit
+    Process.sleep(50)
+
+    session
+  end
+
+  def assert_path(session, path) do
+    assert current_path(session) == path
+    session
+  end
+
+  def shutdown_live_socket(session) do
+    Wallaby.end_session(session)
+    Process.sleep(10)
+    # await_for_sandbox_processes()
+  end
+
+  # defp await_for_sandbox_processes() do
+  #   receive do
+  #     {:sandbox_access, pid} ->
+  #       await_for_process_death(pid)
+  #       await_for_sandbox_processes()
+
+  #     _ ->
+  #       await_for_sandbox_processes()
+  #   after
+  #     10 -> :ok
+  #   end
+  # end
+
+  # defp await_for_process_death(pid, retries_left \\ 5) do
+  #   cond do
+  #     not Process.alive?(pid) ->
+  #       :ok
+
+  #     retries_left > 0 ->
+  #       Process.sleep(10)
+  #       await_for_process_death(pid, retries_left - 1)
+
+  #     true ->
+  #       Process.exit(pid, :kill)
+  #   end
+  # end
+
+  @doc """
+  This is an extension of ExUnit's `test` macro but:
+
+  - it rescues the exceptions from Wallaby and prints them while sleeping the process
+  (to allow you interacting with the browser) if test has `debug: true` tag;
+
+  - it takes a screenshot on failure if `debug` tag is not set to `true` or unset.
+
+  Additionally, it will try to await for all the sandboxed processes to finish their work
+  after the test has passed to prevent spamming logs with a lot of crash reports.
+  """
+  defmacro feature(message, var \\ quote(do: _), contents) do
+    contents =
+      case contents do
+        [do: block] ->
+          quote do
+            try do
+              unquote(block)
+              if var!(debug?) == true, do: Process.sleep(360_000)
+              shutdown_live_socket(var!(session))
+              :ok
+            rescue
+              e ->
+                cond do
+                  var!(debug?) == true ->
+                    IO.puts(
+                      IO.ANSI.red() <>
+                        "Warning! This test runs in browser-debug mode, " <>
+                        "it sleep the test process on failure for 50 seconds." <> IO.ANSI.reset()
+                    )
+
+                    IO.puts("")
+                    IO.puts(IO.ANSI.yellow())
+                    IO.puts("Exception was rescued:")
+                    IO.puts(Exception.format(:error, e, __STACKTRACE__))
+                    IO.puts(IO.ANSI.reset())
+                    Process.sleep(:timer.seconds(50))
+
+                  Wallaby.screenshot_on_failure?() ->
+                    unquote(__MODULE__).take_screenshot(unquote(message))
+
+                  true ->
+                    :ok
+                end
+
+                reraise(e, __STACKTRACE__)
+            end
+          end
+      end
+
+    # Always insert debug? tag from module attributes,
+    # which is used by rescue block above
+    {op, meta, bindings} = var
+    debug_var_binding = {:debug?, {:debug?, meta, nil}}
+    var = {op, meta, bindings ++ [debug_var_binding]}
+    var = Macro.escape(var)
+
+    contents = Macro.escape(contents, unquote: true)
+    %{module: mod, file: file, line: line} = __CALLER__
+
+    quote bind_quoted: [
+            var: var,
+            contents: contents,
+            message: message,
+            mod: mod,
+            file: file,
+            line: line
+          ] do
+      name = ExUnit.Case.register_test(mod, file, line, :test, message, [])
+      def unquote(name)(unquote(var)), do: unquote(contents)
+    end
+  end
+end
diff --git a/apps/fz_http/test/support/acceptance_case/auth.ex b/apps/fz_http/test/support/acceptance_case/auth.ex
new file mode 100644
index 000000000..ebd145cdf
--- /dev/null
+++ b/apps/fz_http/test/support/acceptance_case/auth.ex
@@ -0,0 +1,91 @@
+defmodule FzHttpWeb.AcceptanceCase.Auth do
+  import ExUnit.Assertions
+
+  def fetch_session_cookie(session) do
+    options = FzHttpWeb.Session.options()
+
+    key = Keyword.fetch!(options, :key)
+    encryption_salt = Keyword.fetch!(options, :encryption_salt)
+    signing_salt = Keyword.fetch!(options, :signing_salt)
+    secret_key_base = FzHttpWeb.Endpoint.config(:secret_key_base)
+
+    with {:ok, cookie} <- fetch_cookie(session, key),
+         encryption_key = Plug.Crypto.KeyGenerator.generate(secret_key_base, encryption_salt, []),
+         signing_key = Plug.Crypto.KeyGenerator.generate(secret_key_base, signing_salt, []),
+         {:ok, decrypted} <-
+           Plug.Crypto.MessageEncryptor.decrypt(
+             cookie,
+             encryption_key,
+             signing_key
+           ) do
+      {:ok, Plug.Crypto.non_executable_binary_to_term(decrypted)}
+    end
+  end
+
+  defp fetch_cookie(session, key) do
+    cookies = Wallaby.Browser.cookies(session)
+
+    if cookie = Enum.find(cookies, fn cookie -> Map.get(cookie, "name") == key end) do
+      Map.fetch(cookie, "value")
+    else
+      :error
+    end
+  end
+
+  def authenticate(session, %FzHttp.Users.User{} = user) do
+    options = FzHttpWeb.Session.options()
+
+    key = Keyword.fetch!(options, :key)
+    encryption_salt = Keyword.fetch!(options, :encryption_salt)
+    signing_salt = Keyword.fetch!(options, :signing_salt)
+    secret_key_base = FzHttpWeb.Endpoint.config(:secret_key_base)
+
+    with {:ok, token, _claims} <- FzHttpWeb.Auth.HTML.Authentication.encode_and_sign(user) do
+      encryption_key = Plug.Crypto.KeyGenerator.generate(secret_key_base, encryption_salt, [])
+      signing_key = Plug.Crypto.KeyGenerator.generate(secret_key_base, signing_salt, [])
+
+      cookie =
+        %{
+          "guardian_default_token" => token,
+          "login_method" => "identity"
+        }
+        |> :erlang.term_to_binary()
+
+      encrypted =
+        Plug.Crypto.MessageEncryptor.encrypt(
+          cookie,
+          encryption_key,
+          signing_key
+        )
+
+      Wallaby.Browser.set_cookie(session, key, encrypted)
+    end
+  end
+
+  def assert_unauthenticated(session) do
+    with {:ok, cookie} <- fetch_session_cookie(session) do
+      if token = cookie["guardian_default_token"] do
+        {:ok, claims} = FzHttpWeb.Auth.HTML.Authentication.decode_and_verify(token)
+        flunk("User is authenticated, claims: #{inspect(claims)}")
+      else
+        session
+      end
+    else
+      :error -> session
+    end
+  end
+
+  def assert_authenticated(session, user) do
+    with {:ok, cookie} <- fetch_session_cookie(session),
+         {:ok, claims} <-
+           FzHttpWeb.Auth.HTML.Authentication.decode_and_verify(cookie["guardian_default_token"]),
+         {:ok, authenticated_user} <-
+           FzHttpWeb.Auth.HTML.Authentication.resource_from_claims(claims) do
+      assert authenticated_user.id == user.id
+      session
+    else
+      :error -> flunk("No session cookie found")
+      other -> flunk("User is not authenticated: #{inspect(other)}")
+    end
+  end
+end
diff --git a/apps/fz_http/test/support/acceptance_case/vault.ex b/apps/fz_http/test/support/acceptance_case/vault.ex
new file mode 100644
index 000000000..493f85b93
--- /dev/null
+++ b/apps/fz_http/test/support/acceptance_case/vault.ex
@@ -0,0 +1,113 @@
+defmodule FzHttpWeb.AcceptanceCase.Vault do
+  use Wallaby.DSL
+
+  @vault_root_token "firezone"
+  @vault_endpoint "http://127.0.0.1:8200"
+
+  def ensure_userpass_auth_enabled do
+    request(:put, "sys/auth/userpass", %{"type" => "userpass"})
+    :ok
+  end
+
+  def upsert_user(username, email, password) do
+    :ok = ensure_userpass_auth_enabled()
+
+    :ok = request(:put, "auth/userpass/users/#{username}", %{password: password})
+
+    # User Entity and Entity Alias are created automatically when user logs-in for
+    # the first time
+    {:ok, {200, params}} =
+      request(:post, "auth/userpass/login/#{username}", %{password: password})
+
+    entity_id = params["auth"]["entity_id"]
+
+    :ok = request(:put, "identity/entity/id/#{entity_id}", %{metadata: %{email: email}})
+
+    :ok
+  end
+
+  def setup_oidc_provider(endpoint_url, attrs_overrides \\ %{"auto_create_users" => true}) do
+    :ok =
+      request(:put, "identity/oidc/client/firezone", %{
+        assignments: "allow_all",
+        redirect_uris: "#{endpoint_url}/auth/oidc/vault/callback/",
+        scopes_supported: "openid,email"
+      })
+
+    :ok =
+      request(
+        :put,
+        "identity/oidc/scope/email",
+        %{template: Base.encode64("{\"email\": {{identity.entity.metadata.email}}}")}
+      )
+
+    :ok =
+      request(
+        :put,
+        "identity/oidc/provider/default",
+        %{scopes_supported: "email"}
+      )
+
+    {:ok, {200, params}} = request(:get, "identity/oidc/client/firezone")
+
+    FzHttp.Configurations.put!(
+      :openid_connect_providers,
+      [
+        %{
+          "id" => "vault",
+          "discovery_document_uri" =>
+            "http://127.0.0.1:8200/v1/identity/oidc/provider/default/.well-known/openid-configuration",
+          "client_id" => params["data"]["client_id"],
+          "client_secret" => params["data"]["client_secret"],
+          "redirect_uri" => "#{endpoint_url}/auth/oidc/vault/callback/",
+          "response_type" => "code",
+          "scope" => "openid email offline_access",
+          "label" => "OIDC Vault"
+        }
+        |> Map.merge(attrs_overrides)
+      ]
+    )
+
+    :ok
+  end
+
+  def userpass_flow(session, oidc_login, oidc_password) do
+    session
+    |> assert_text("Method")
+    |> fill_in(Query.css("#select-ember40"), with: "userpass")
+    |> fill_in(Query.fillable_field("username"), with: oidc_login)
+    |> fill_in(Query.fillable_field("password"), with: oidc_password)
+    |> click(Query.button("Sign In"))
+  end
+
+  defp request(method, path, params_or_body \\ nil) do
+    headers = [
+      {"X-Vault-Request", "true"},
+      {"X-Vault-Token", @vault_root_token}
+    ]
+
+    body =
+      cond do
+        is_map(params_or_body) ->
+          Jason.encode!(params_or_body)
+
+        is_binary(params_or_body) ->
+          params_or_body
+
+        true ->
+          ""
+      end
+
+    :hackney.request(method, "#{@vault_endpoint}/v1/#{path}", headers, body, [:with_body])
+    |> case do
+      {:ok, _status, _headers, ""} ->
+        :ok
+
+      {:ok, status, _headers, body} ->
+        {:ok, {status, Jason.decode!(body)}}
+
+      {:error, reason} ->
+        {:error, reason}
+    end
+  end
+end
diff --git a/apps/fz_http/test/support/data_case.ex b/apps/fz_http/test/support/data_case.ex
index c6cdf2014..90609a585 100644
--- a/apps/fz_http/test/support/data_case.ex
+++ b/apps/fz_http/test/support/data_case.ex
@@ -13,7 +13,6 @@ defmodule FzHttp.DataCase do
   by setting `use FzHttp.DataCase, async: true`, although
   this option is not recommended for other databases.
   """
-
   use ExUnit.CaseTemplate
   use FzHttp.CaseTemplate
 
@@ -23,8 +22,10 @@ defmodule FzHttp.DataCase do
 
       import Ecto
       import Ecto.Changeset
+      # XXX: Remove this import
       import Ecto.Query
       import FzHttp.DataCase
+      # XXX: Remove this import
       import FzHttp.TestHelpers
     end
   end
diff --git a/apps/fz_http/test/support/fixtures/configurations_fixtures.ex b/apps/fz_http/test/support/fixtures/configurations_fixtures.ex
index d25551433..ecfa9863a 100644
--- a/apps/fz_http/test/support/fixtures/configurations_fixtures.ex
+++ b/apps/fz_http/test/support/fixtures/configurations_fixtures.ex
@@ -19,9 +19,25 @@ defmodule FzHttp.ConfigurationsFixtures do
     configuration
   end
 
-  def openid_connect_providers_attrs do
-    discovery_document_url = discovery_document_server()
+  def start_openid_providers(provider_names, overrides \\ %{}) do
+    {bypass, discovery_document_url} = discovery_document_server()
 
+    openid_connect_providers_attrs =
+      discovery_document_url
+      |> openid_connect_providers_attrs()
+      |> Enum.filter(&(&1["id"] in provider_names))
+      |> Enum.map(fn config ->
+        config
+        |> Enum.into(%{})
+        |> Map.merge(overrides)
+      end)
+
+    Configurations.put!(:openid_connect_providers, openid_connect_providers_attrs)
+
+    {bypass, openid_connect_providers_attrs}
+  end
+
+  defp openid_connect_providers_attrs(discovery_document_url) do
     [
       %{
         "id" => "google",
@@ -31,7 +47,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/google/callback/",
         "response_type" => "code",
         "scope" => "openid email profile",
-        "label" => "OIDC Google"
+        "label" => "OIDC Google",
+        "auto_create_users" => false
       },
       %{
         "id" => "okta",
@@ -41,7 +58,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/okta/callback/",
         "response_type" => "code",
         "scope" => "openid email profile offline_access",
-        "label" => "OIDC Okta"
+        "label" => "OIDC Okta",
+        "auto_create_users" => false
       },
       %{
         "id" => "auth0",
@@ -51,7 +69,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/auth0/callback/",
         "response_type" => "code",
         "scope" => "openid email profile",
-        "label" => "OIDC Auth0"
+        "label" => "OIDC Auth0",
+        "auto_create_users" => false
       },
       %{
         "id" => "azure",
@@ -61,7 +80,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/azure/callback/",
         "response_type" => "code",
         "scope" => "openid email profile offline_access",
-        "label" => "OIDC Azure"
+        "label" => "OIDC Azure",
+        "auto_create_users" => false
       },
       %{
         "id" => "onelogin",
@@ -71,7 +91,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/onelogin/callback/",
         "response_type" => "code",
         "scope" => "openid email profile offline_access",
-        "label" => "OIDC Onelogin"
+        "label" => "OIDC Onelogin",
+        "auto_create_users" => false
       },
       %{
         "id" => "keycloak",
@@ -81,7 +102,8 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/keycloak/callback/",
         "response_type" => "code",
         "scope" => "openid email profile offline_access",
-        "label" => "OIDC Keycloak"
+        "label" => "OIDC Keycloak",
+        "auto_create_users" => false
       },
       %{
         "id" => "vault",
@@ -91,25 +113,79 @@ defmodule FzHttp.ConfigurationsFixtures do
         "redirect_uri" => "https://firezone.example.com/auth/oidc/vault/callback/",
         "response_type" => "code",
         "scope" => "openid email profile offline_access",
-        "label" => "OIDC Vault"
+        "label" => "OIDC Vault",
+        "auto_create_users" => false
       }
     ]
   end
 
+  def jwks_attrs do
+    %{
+      "alg" => "RS256",
+      "d" =>
+        "X8TM24Zqbiha9geYYk_vZpANu16IadJLJLJ7ucTc3JaMbK8NCYNcHMoXKnNYPFxmq-UWAEIwh-2" <>
+          "txOiOxuChVrblpfyE4SBJio1T0AUcCwmm8U6G-CsSHMMzWTt2dMTnArHjdyAIgOVRW5SVzhTT" <>
+          "taf4JY-47S-fbcJ7g0hmBbVih5i1sE2fad4I4qFHT-YFU_pnUHbteR6GQuRW4r03Eon8Aje6a" <>
+          "l2AxcYnfF8_cSOIOpkDgGavTtGYhhZPi2jZ7kPm6QGkNW5CyfEq5PGB6JOihw-XIFiiMzYgx0" <>
+          "52rnzoqALoLheXrI0By4kgHSmcqOOmq7aiOff45rlSbpsR",
+      "e" => "AQAB",
+      "kid" => "example@firezone.dev",
+      "kty" => "RSA",
+      "n" =>
+        "qlKll8no4lPYXNSuTTnacpFHiXwPOv_htCYvIXmiR7CWhiiOHQqj7KWXIW7TGxyoLVIyeRM4mwv" <>
+          "kLI-UgsSMYdEKTT0j7Ydjrr0zCunPu5Gxr2yOmcRaszAzGxJL5DwpA0V40RqMlm5OuwdqS4To" <>
+          "_p9LlLxzMF6RZe1OqslV5RZ4Y8FmrWq6BV98eIziEHL0IKdsAIrrOYkkcLDdQeMNuTp_yNB8X" <>
+          "l2TdWSdsbRomrs2dCtCqZcXTsy2EXDceHvYhgAB33nh_w17WLrZQwMM-7kJk36Kk54jZd7i80" <>
+          "AJf_s_plXn1mEh-L5IAL1vg3a9EOMFUl-lPiGqc3td_ykH",
+      "use" => "sig"
+    }
+  end
+
+  def expect_refresh_token(bypass, attrs \\ %{}) do
+    test_pid = self()
+
+    Bypass.expect(bypass, "POST", "/oauth/token", fn conn ->
+      conn = fetch_conn_params(conn)
+      send(test_pid, {:request, conn})
+      Plug.Conn.resp(conn, 200, Jason.encode!(attrs))
+    end)
+  end
+
+  def expect_refresh_token_failure(bypass, attrs \\ %{}) do
+    test_pid = self()
+
+    Bypass.expect(bypass, "POST", "/oauth/token", fn conn ->
+      conn = fetch_conn_params(conn)
+      send(test_pid, {:request, conn})
+      Plug.Conn.resp(conn, 401, Jason.encode!(attrs))
+    end)
+  end
+
   def discovery_document_server do
     bypass = Bypass.open()
+    endpoint = "http://localhost:#{bypass.port}"
+    test_pid = self()
+
+    Bypass.expect(bypass, "GET", "/.well-known/jwks.json", fn conn ->
+      attrs = %{"keys" => [jwks_attrs()]}
+      Plug.Conn.resp(conn, 200, Jason.encode!(attrs))
+    end)
 
     Bypass.expect(bypass, "GET", "/.well-known/openid-configuration", fn conn ->
+      conn = fetch_conn_params(conn)
+      send(test_pid, {:request, conn})
+
       attrs = %{
-        "issuer" => "https://common.auth0.com/",
-        "authorization_endpoint" => "https://common.auth0.com/authorize",
-        "token_endpoint" => "https://common.auth0.com/oauth/token",
-        "device_authorization_endpoint" => "https://common.auth0.com/oauth/device/code",
-        "userinfo_endpoint" => "https://common.auth0.com/userinfo",
-        "mfa_challenge_endpoint" => "https://common.auth0.com/mfa/challenge",
-        "jwks_uri" => "https://common.auth0.com/.well-known/jwks.json",
-        "registration_endpoint" => "https://common.auth0.com/oidc/register",
-        "revocation_endpoint" => "https://common.auth0.com/oauth/revoke",
+        "issuer" => "#{endpoint}/",
+        "authorization_endpoint" => "#{endpoint}/authorize",
+        "token_endpoint" => "#{endpoint}/oauth/token",
+        "device_authorization_endpoint" => "#{endpoint}/oauth/device/code",
+        "userinfo_endpoint" => "#{endpoint}/userinfo",
+        "mfa_challenge_endpoint" => "#{endpoint}/mfa/challenge",
+        "jwks_uri" => "#{endpoint}/.well-known/jwks.json",
+        "registration_endpoint" => "#{endpoint}/oidc/register",
+        "revocation_endpoint" => "#{endpoint}/oauth/revoke",
+        "end_session_endpoint" => "https://example.com",
         "scopes_supported" => [
           "openid",
           "profile",
@@ -180,7 +256,15 @@ defmodule FzHttp.ConfigurationsFixtures do
       Plug.Conn.resp(conn, 200, Jason.encode!(attrs))
     end)
 
-    "http://localhost:#{bypass.port}/.well-known/openid-configuration"
+    {bypass, "#{endpoint}/.well-known/openid-configuration"}
+  end
+
+  def fetch_conn_params(conn) do
+    opts = Plug.Parsers.init(parsers: [:urlencoded, :json], pass: ["*/*"], json_decoder: Jason)
+
+    conn
+    |> Plug.Conn.fetch_query_params()
+    |> Plug.Parsers.call(opts)
   end
 
   def saml_identity_providers_attrs do
diff --git a/apps/fz_http/test/support/fixtures/devices_fixtures.ex b/apps/fz_http/test/support/fixtures/devices_fixtures.ex
index f7045300e..d7959be62 100644
--- a/apps/fz_http/test/support/fixtures/devices_fixtures.ex
+++ b/apps/fz_http/test/support/fixtures/devices_fixtures.ex
@@ -9,6 +9,19 @@ defmodule FzHttp.DevicesFixtures do
     UsersFixtures
   }
 
+  def create_device_for_user(user, attrs \\ %{}) do
+    attrs =
+      Enum.into(attrs, %{
+        user_id: user.id,
+        public_key: public_key(),
+        name: "factory #{counter()}",
+        description: "factory description"
+      })
+
+    {:ok, device} = Devices.create_device(attrs)
+    device
+  end
+
   @doc """
   Generate a device.
   """
diff --git a/apps/fz_http/test/support/fixtures/users_fixtures.ex b/apps/fz_http/test/support/fixtures/users_fixtures.ex
index 20b0c7b15..059a5fe64 100644
--- a/apps/fz_http/test/support/fixtures/users_fixtures.ex
+++ b/apps/fz_http/test/support/fixtures/users_fixtures.ex
@@ -3,33 +3,34 @@ defmodule FzHttp.UsersFixtures do
   This module defines test helpers for creating
   entities via the `FzHttp.Users` context.
   """
+  alias FzHttp.Users
 
-  alias FzHttp.{Repo, Users, Users.User}
+  def user_attrs(attrs \\ %{}) do
+    Enum.into(attrs, %{
+      email: "test-#{counter()}@test",
+      password: "password1234",
+      password_confirmation: "password1234"
+    })
+  end
+
+  def create_user_with_role(attrs \\ %{}, role) do
+    attrs
+    |> Enum.into(%{role: role})
+    |> user()
+  end
+
+  def create_user(attrs \\ %{}) do
+    user(attrs)
+  end
 
   @doc """
   Generate a user specified by email, or generate a new otherwise.
   """
   def user(attrs \\ %{}) do
-    email = attrs[:email] || "test-#{counter()}@test"
-
-    case Repo.get_by(User, email: email) do
-      nil ->
-        {:ok, user} =
-          Users.create_user(
-            %{
-              email: email,
-              role: :admin,
-              password: "password1234",
-              password_confirmation: "password1234"
-            },
-            Enum.into(attrs, %{role: :admin})
-          )
-
-        user
-
-      %User{} = user ->
-        user
-    end
+    attrs = user_attrs(attrs)
+    {role, attrs} = Map.pop(attrs, :role, :admin)
+    {:ok, user} = Users.create_user(attrs, role)
+    user
   end
 
   defp counter do
diff --git a/apps/fz_http/test/support/mocks/openid_connect.ex b/apps/fz_http/test/support/mocks/openid_connect.ex
deleted file mode 100644
index f8130c011..000000000
--- a/apps/fz_http/test/support/mocks/openid_connect.ex
+++ /dev/null
@@ -1,9 +0,0 @@
-defmodule OpenIDConnect.MockBehaviour do
-  @moduledoc """
-  Mock Behaviour for OpenIDConnect so that we can use Mox
-  """
-  @callback end_session_uri(any, map) :: String.t()
-  @callback authorization_uri(any, map) :: String.t()
-  @callback fetch_tokens(any, map) :: {:ok, any} | {:error, :fetch_tokens, any}
-  @callback verify(any, map) :: {:ok, any} | {:error, :verify, any}
-end
diff --git a/apps/fz_http/test/support/test_helpers.ex b/apps/fz_http/test/support/test_helpers.ex
index 72b6a1562..149215eda 100644
--- a/apps/fz_http/test/support/test_helpers.ex
+++ b/apps/fz_http/test/support/test_helpers.ex
@@ -10,7 +10,6 @@ defmodule FzHttp.TestHelpers do
     NotificationsFixtures,
     Repo,
     RulesFixtures,
-    Users,
     Users.User,
     UsersFixtures
   }
@@ -168,7 +167,7 @@ defmodule FzHttp.TestHelpers do
   end
 
   def create_user_with_valid_sign_in_token(_) do
-    {:ok, user: %User{} = UsersFixtures.user(Users.sign_in_keys())}
+    {:ok, user: %User{}} = UsersFixtures.user()
   end
 
   def create_user_with_expired_sign_in_token(_) do
diff --git a/apps/fz_http/test/test_helper.exs b/apps/fz_http/test/test_helper.exs
index b92293b0a..bbe35242b 100644
--- a/apps/fz_http/test/test_helper.exs
+++ b/apps/fz_http/test/test_helper.exs
@@ -1,9 +1,10 @@
-Ecto.Adapters.SQL.Sandbox.mode(FzHttp.Repo, :manual)
-Mox.defmock(OpenIDConnect.Mock, for: OpenIDConnect.MockBehaviour)
+# Delete screenshots from previous acceptance test executions
+Path.join(File.cwd!(), "screenshots") |> File.rm_rf!()
 
 Bureaucrat.start(
   writer: Firezone.DocusaurusWriter,
   default_path: "../../docs/docs/reference/rest-api"
 )
 
-ExUnit.start(formatters: [ExUnit.CLIFormatter, Bureaucrat.Formatter])
+Ecto.Adapters.SQL.Sandbox.mode(FzHttp.Repo, :manual)
+ExUnit.start(formatters: [ExUnit.CLIFormatter, JUnitFormatter, Bureaucrat.Formatter])
diff --git a/apps/fz_vpn/.formatter.exs b/apps/fz_vpn/.formatter.exs
new file mode 100644
index 000000000..7f9277b11
--- /dev/null
+++ b/apps/fz_vpn/.formatter.exs
@@ -0,0 +1,9 @@
+[
+  locals_without_parens: [],
+  import_deps: [],
+  inputs: [
+    "*.{ex,exs}",
+    "{lib,test,priv}/**/*.{ex,exs}"
+  ],
+  plugins: []
+]
diff --git a/apps/fz_vpn/lib/fz_vpn/application.ex b/apps/fz_vpn/lib/fz_vpn/application.ex
index 4a8172ce8..090fee4cf 100644
--- a/apps/fz_vpn/lib/fz_vpn/application.ex
+++ b/apps/fz_vpn/lib/fz_vpn/application.ex
@@ -1,14 +1,8 @@
 defmodule FzVpn.Application do
-  # See https://hexdocs.pm/elixir/Application.html
-  # for more information on OTP Applications
-  @moduledoc false
-
   use Application
 
   def start(_type, _args) do
-    # See https://hexdocs.pm/elixir/Supervisor.html
-    # for other strategies and supported options
-    opts = [strategy: :one_for_one, name: FzVpn.Supervisor]
+    opts = [strategy: :one_for_one, name: __MODULE__.Supervisor]
     Supervisor.start_link(children(), opts)
   end
 
diff --git a/apps/fz_vpn/mix.exs b/apps/fz_vpn/mix.exs
index 2a61f4c34..b591b9ad8 100644
--- a/apps/fz_vpn/mix.exs
+++ b/apps/fz_vpn/mix.exs
@@ -41,8 +41,6 @@ defmodule FzVpn.MixProject do
     [
       {:fz_http, in_umbrella: true},
       {:fz_common, in_umbrella: true},
-      {:credo, "~> 1.4", only: [:dev, :test], runtime: false},
-      {:excoveralls, "~> 0.13", only: :test},
       {:wireguardex, "~> 0.3.5"}
     ]
   end
diff --git a/apps/fz_wall/.formatter.exs b/apps/fz_wall/.formatter.exs
new file mode 100644
index 000000000..7f9277b11
--- /dev/null
+++ b/apps/fz_wall/.formatter.exs
@@ -0,0 +1,9 @@
+[
+  locals_without_parens: [],
+  import_deps: [],
+  inputs: [
+    "*.{ex,exs}",
+    "{lib,test,priv}/**/*.{ex,exs}"
+  ],
+  plugins: []
+]
diff --git a/apps/fz_wall/lib/fz_wall/application.ex b/apps/fz_wall/lib/fz_wall/application.ex
index ec4a3f5cb..fcf54a1da 100644
--- a/apps/fz_wall/lib/fz_wall/application.ex
+++ b/apps/fz_wall/lib/fz_wall/application.ex
@@ -12,7 +12,7 @@ defmodule FzWall.Application do
 
     # See https://hexdocs.pm/elixir/Supervisor.html
     # for other strategies and supported options
-    opts = [strategy: :one_for_one, name: FzWall.Supervisor]
+    opts = [strategy: :one_for_one, name: __MODULE__.Supervisor]
     Supervisor.start_link(children, opts)
   end
 end
diff --git a/apps/fz_wall/mix.exs b/apps/fz_wall/mix.exs
index 5b42126b3..6986541de 100644
--- a/apps/fz_wall/mix.exs
+++ b/apps/fz_wall/mix.exs
@@ -40,9 +40,7 @@ defmodule FzWall.MixProject do
   defp deps do
     [
       {:fz_http, in_umbrella: true},
-      {:fz_common, in_umbrella: true},
-      {:credo, "~> 1.4", only: [:dev, :test], runtime: false},
-      {:excoveralls, "~> 0.13", only: :test}
+      {:fz_common, in_umbrella: true}
     ]
   end
 end
diff --git a/config/config.exs b/config/config.exs
index ea18bc16d..6a1392035 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -50,8 +50,7 @@ config :fz_http,
   server_process_opts: [name: {:global, :fz_http_server}],
   saml_entity_id: "urn:firezone.dev:firezone-app",
   saml_certfile_path: Path.expand("../apps/fz_http/priv/cert/saml_selfsigned.pem", __DIR__),
-  saml_keyfile_path: Path.expand("../apps/fz_http/priv/cert/saml_selfsigned_key.pem", __DIR__),
-  openid_connect: OpenIDConnect
+  saml_keyfile_path: Path.expand("../apps/fz_http/priv/cert/saml_selfsigned_key.pem", __DIR__)
 
 config :fz_wall,
   cli: FzWall.CLI.Sandbox,
diff --git a/config/runtime.exs b/config/runtime.exs
index ecf1780dd..4298f372f 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -13,7 +13,7 @@ alias FzCommon.{CLI, FzInteger, FzString, FzKernelVersion, FzNet}
     System.fetch_env!("EXTERNAL_URL")
     |> FzNet.to_complete_url()
   else
-    System.get_env("EXTERNAL_URL", "https://localhost")
+    System.get_env("EXTERNAL_URL", "http://localhost:4002")
     |> FzNet.to_complete_url()
   end
 
diff --git a/config/test.exs b/config/test.exs
index 2c1e38646..730ce1199 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -53,9 +53,6 @@ config :ueberauth, Ueberauth,
     identity: {Ueberauth.Strategy.Identity, [callback_methods: ["POST"], uid_field: :email]}
   ]
 
-# Provide mock for OpenIDConnect
-config :fz_http, :openid_connect, OpenIDConnect.Mock
-
 config :fz_http, FzHttpWeb.Mailer, adapter: Swoosh.Adapters.Test, from_email: "test@firez.one"
 
 config :fz_vpn,
@@ -66,3 +63,15 @@ config :fz_vpn,
 config :argon2_elixir, t_cost: 1, m_cost: 8
 
 config :bureaucrat, :json_library, Jason
+
+config :wallaby,
+  driver: Wallaby.Chrome,
+  screenshot_on_failure: true,
+  # XXX: Contribute to Wallaby to make this configurable on the per-process level,
+  # along with buffer to write logs only on process failure
+  js_logger: false
+
+config :ex_unit,
+  formatters: [JUnitFormatter, ExUnit.CLIFormatter],
+  capture_log: true,
+  exclude: [:acceptance]
diff --git a/docker-compose.yml b/docker-compose.yml
index e54803e8d..9547e0e22 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -74,7 +74,8 @@ services:
   vault:
     image: vault
     environment:
-      - VAULT_ADDR=0.0.0.0:8200
+      VAULT_ADDR: 'http://127.0.0.1:8200'
+      VAULT_DEV_ROOT_TOKEN_ID: 'firezone'
     ports:
       - 8200:8200/tcp
     cap_add:
diff --git a/mix.exs b/mix.exs
index 35829f51f..01e34cf7c 100644
--- a/mix.exs
+++ b/mix.exs
@@ -55,16 +55,19 @@ defmodule FirezoneUmbrella.MixProject do
   # Run "mix help deps" for examples and options.
   defp deps do
     [
+      # Shared deps
       {:jason, "~> 1.2"},
-      {:posthog, "~> 0.1"},
-      # for formatting Heex
-      {:phoenix, "~> 1.7.0-rc.0", override: true},
-      {:phoenix_live_view, "~> 0.18.3"},
-      {:phoenix_live_dashboard, "~> 0.7.2"},
-      {:ex_doc, "~> 0.24", only: :dev, runtime: false},
+
+      # Shared test deps
       {:excoveralls, "~> 0.14", only: :test},
+      {:credo, "~> 1.5", only: [:dev, :test], runtime: false},
       {:mix_test_watch, "~> 1.0", only: :dev, runtime: false},
-      {:dialyxir, "~> 1.1", only: [:dev], runtime: false}
+      {:dialyxir, "~> 1.1", only: [:dev], runtime: false},
+      {:junit_formatter, "~> 3.3", only: [:test]},
+
+      # Formatter doesn't track dependencies of children applications
+      {:phoenix, "~> 1.7.0-rc.1", override: true},
+      {:phoenix_live_view, "~> 0.18.3"}
     ]
   end
 
diff --git a/mix.lock b/mix.lock
index 7a82bb546..06124401e 100644
--- a/mix.lock
+++ b/mix.lock
@@ -3,7 +3,7 @@
   "bunt": {:hex, :bunt, "0.2.1", "e2d4792f7bc0ced7583ab54922808919518d0e57ee162901a16a1b6664ef3b14", [:mix], [], "hexpm", "a330bfb4245239787b15005e66ae6845c9cd524a288f0d141c148b02603777a5"},
   "bureaucrat": {:hex, :bureaucrat, "0.2.9", "d98e4d2b9bdbf22e4a45c2113ce8b38b5b63278506c6ff918e3b943a4355d85b", [:mix], [{:inflex, ">= 1.10.0", [hex: :inflex, repo: "hexpm", optional: false]}, {:phoenix, ">= 1.2.0", [hex: :phoenix, repo: "hexpm", optional: true]}, {:plug, ">= 1.0.0", [hex: :plug, repo: "hexpm", optional: false]}, {:poison, "~> 1.5 or ~> 2.0 or ~> 3.0 or ~> 4.0", [hex: :poison, repo: "hexpm", optional: true]}], "hexpm", "111c8dd84382a62e1026ae011d592ceee918553e5203fe8448d9ba6ccbdfff7d"},
   "bypass": {:hex, :bypass, "2.1.0", "909782781bf8e20ee86a9cabde36b259d44af8b9f38756173e8f5e2e1fabb9b1", [:mix], [{:plug, "~> 1.7", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.0", [hex: :plug_cowboy, repo: "hexpm", optional: false]}, {:ranch, "~> 1.3", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm", "d9b5df8fa5b7a6efa08384e9bbecfe4ce61c77d28a4282f79e02f1ef78d96b80"},
-  "castore": {:hex, :castore, "0.1.20", "62a0126cbb7cb3e259257827b9190f88316eb7aa3fdac01fd6f2dfd64e7f46e9", [:mix], [], "hexpm", "a020b7650529c986c454a4035b6b13a328e288466986307bea3aadb4c95ac98a"},
+  "castore": {:hex, :castore, "0.1.22", "4127549e411bedd012ca3a308dede574f43819fe9394254ca55ab4895abfa1a2", [:mix], [], "hexpm", "c17576df47eb5aa1ee40cc4134316a99f5cad3e215d5c77b8dd3cfef12a22cac"},
   "certifi": {:hex, :certifi, "2.9.0", "6f2a475689dd47f19fb74334859d460a2dc4e3252a3324bd2111b8f0429e7e21", [:rebar3], [], "hexpm", "266da46bdb06d6c6d35fde799bcb28d36d985d424ad7c08b5bb48f5b5cdd4641"},
   "cidr": {:git, "https://github.com/firezone/cidr-elixir.git", "a32125127a7910f476734f45391ba6d37036ee11", []},
   "cloak": {:hex, :cloak, "1.1.2", "7e0006c2b0b98d976d4f559080fabefd81f0e0a50a3c4b621f85ceeb563e80bb", [:mix], [{:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}], "hexpm", "940d5ac4fcd51b252930fd112e319ea5ae6ab540b722f3ca60a85666759b9585"},
@@ -30,29 +30,34 @@
   "expo": {:hex, :expo, "0.1.0", "d4e932bdad052c374118e312e35280f1919ac13881cb3ac07a209a54d0c81dd8", [:mix], [], "hexpm", "c22c536021c56de058aaeedeabb4744eb5d48137bacf8c29f04d25b6c6bbbf45"},
   "file_size": {:hex, :file_size, "3.0.1", "ad447a69442a82fc701765a73992d7b1110136fa0d4a9d3190ea685d60034dcd", [:mix], [{:decimal, ">= 1.0.0 and < 3.0.0", [hex: :decimal, repo: "hexpm", optional: true]}, {:number, "~> 1.0", [hex: :number, repo: "hexpm", optional: false]}], "hexpm", "64dd665bc37920480c249785788265f5d42e98830d757c6a477b3246703b8e20"},
   "file_system": {:hex, :file_system, "0.2.10", "fb082005a9cd1711c05b5248710f8826b02d7d1784e7c3451f9c1231d4fc162d", [:mix], [], "hexpm", "41195edbfb562a593726eda3b3e8b103a309b733ad25f3d642ba49696bf715dc"},
+  "finch": {:hex, :finch, "0.14.0", "619bfdee18fc135190bf590356c4bf5d5f71f916adb12aec94caa3fa9267a4bc", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: false]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.3", [hex: :mint, repo: "hexpm", optional: false]}, {:nimble_options, "~> 0.4", [hex: :nimble_options, repo: "hexpm", optional: false]}, {:nimble_pool, "~> 0.2.6", [hex: :nimble_pool, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "5459acaf18c4fdb47a8c22fb3baff5d8173106217c8e56c5ba0b93e66501a8dd"},
   "floki": {:hex, :floki, "0.34.0", "002d0cc194b48794d74711731db004fafeb328fe676976f160685262d43706a8", [:mix], [], "hexpm", "9c3a9f43f40dde00332a589bd9d389b90c1f518aef500364d00636acc5ebc99c"},
   "gen_smtp": {:hex, :gen_smtp, "1.2.0", "9cfc75c72a8821588b9b9fe947ae5ab2aed95a052b81237e0928633a13276fd3", [:rebar3], [{:ranch, ">= 1.8.0", [hex: :ranch, repo: "hexpm", optional: false]}], "hexpm", "5ee0375680bca8f20c4d85f58c2894441443a743355430ff33a783fe03296779"},
   "gettext": {:hex, :gettext, "0.21.0", "15bbceb20b317b706a8041061a08e858b5a189654128618b53746bf36c84352b", [:mix], [{:expo, "~> 0.1.0", [hex: :expo, repo: "hexpm", optional: false]}], "hexpm", "04a66db4103b6d1d18f92240bb2c73167b517229316b7bef84e4eebbfb2f14f6"},
   "guardian": {:hex, :guardian, "2.3.1", "2b2d78dc399a7df182d739ddc0e566d88723299bfac20be36255e2d052fd215d", [:mix], [{:jose, "~> 1.8", [hex: :jose, repo: "hexpm", optional: false]}, {:plug, "~> 1.3.3 or ~> 1.4", [hex: :plug, repo: "hexpm", optional: true]}], "hexpm", "bbe241f9ca1b09fad916ad42d6049d2600bbc688aba5b3c4a6c82592a54274c3"},
   "guardian_db": {:hex, :guardian_db, "2.1.0", "ec95a9d99cdd1e550555d09a7bb4a340d8887aad0697f594590c2fd74be02426", [:mix], [{:ecto, "~> 3.0", [hex: :ecto, repo: "hexpm", optional: false]}, {:ecto_sql, "~> 3.1", [hex: :ecto_sql, repo: "hexpm", optional: false]}, {:guardian, "~> 1.0 or ~> 2.0", [hex: :guardian, repo: "hexpm", optional: false]}, {:postgrex, "~> 0.13", [hex: :postgrex, repo: "hexpm", optional: true]}], "hexpm", "f8e7d543ac92c395f3a7fd5acbe6829faeade57d688f7562e2f0fca8f94a0d70"},
   "hackney": {:hex, :hackney, "1.18.1", "f48bf88f521f2a229fc7bae88cf4f85adc9cd9bcf23b5dc8eb6a1788c662c4f6", [:rebar3], [{:certifi, "~> 2.9.0", [hex: :certifi, repo: "hexpm", optional: false]}, {:idna, "~> 6.1.0", [hex: :idna, repo: "hexpm", optional: false]}, {:metrics, "~> 1.0.0", [hex: :metrics, repo: "hexpm", optional: false]}, {:mimerl, "~> 1.1", [hex: :mimerl, repo: "hexpm", optional: false]}, {:parse_trans, "3.3.1", [hex: :parse_trans, repo: "hexpm", optional: false]}, {:ssl_verify_fun, "~> 1.1.0", [hex: :ssl_verify_fun, repo: "hexpm", optional: false]}, {:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "a4ecdaff44297e9b5894ae499e9a070ea1888c84afdd1fd9b7b2bc384950128e"},
+  "hpax": {:hex, :hpax, "0.1.2", "09a75600d9d8bbd064cdd741f21fc06fc1f4cf3d0fcc335e5aa19be1a7235c84", [:mix], [], "hexpm", "2c87843d5a23f5f16748ebe77969880e29809580efdaccd615cd3bed628a8c13"},
   "httpoison": {:hex, :httpoison, "1.8.2", "9eb9c63ae289296a544842ef816a85d881d4a31f518a0fec089aaa744beae290", [:mix], [{:hackney, "~> 1.17", [hex: :hackney, repo: "hexpm", optional: false]}], "hexpm", "2bb350d26972e30c96e2ca74a1aaf8293d61d0742ff17f01e0279fef11599921"},
   "idna": {:hex, :idna, "6.1.1", "8a63070e9f7d0c62eb9d9fcb360a7de382448200fbbd1b106cc96d3d8099df8d", [:rebar3], [{:unicode_util_compat, "~> 0.7.0", [hex: :unicode_util_compat, repo: "hexpm", optional: false]}], "hexpm", "92376eb7894412ed19ac475e4a86f7b413c1b9fbb5bd16dccd57934157944cea"},
   "inflex": {:hex, :inflex, "2.1.0", "a365cf0821a9dacb65067abd95008ca1b0bb7dcdd85ae59965deef2aa062924c", [:mix], [], "hexpm", "14c17d05db4ee9b6d319b0bff1bdf22aa389a25398d1952c7a0b5f3d93162dd8"},
   "jason": {:hex, :jason, "1.4.0", "e855647bc964a44e2f67df589ccf49105ae039d4179db7f6271dfd3843dc27e6", [:mix], [{:decimal, "~> 1.0 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: true]}], "hexpm", "79a3791085b2a0f743ca04cec0f7be26443738779d09302e01318f97bdb82121"},
   "jose": {:hex, :jose, "1.11.5", "3bc2d75ffa5e2c941ca93e5696b54978323191988eb8d225c2e663ddfefd515e", [:mix, :rebar3], [], "hexpm", "dcd3b215bafe02ea7c5b23dafd3eb8062a5cd8f2d904fd9caa323d37034ab384"},
+  "junit_formatter": {:hex, :junit_formatter, "3.3.1", "c729befb848f1b9571f317d2fefa648e9d4869befc4b2980daca7c1edc468e40", [:mix], [], "hexpm", "761fc5be4b4c15d8ba91a6dafde0b2c2ae6db9da7b8832a55b5a1deb524da72b"},
   "makeup": {:hex, :makeup, "1.1.0", "6b67c8bc2882a6b6a445859952a602afc1a41c2e08379ca057c0f525366fc3ca", [:mix], [{:nimble_parsec, "~> 1.2.2 or ~> 1.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "0a45ed501f4a8897f580eabf99a2e5234ea3e75a4373c8a52824f6e873be57a6"},
   "makeup_elixir": {:hex, :makeup_elixir, "0.16.0", "f8c570a0d33f8039513fbccaf7108c5d750f47d8defd44088371191b76492b0b", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}, {:nimble_parsec, "~> 1.2.3", [hex: :nimble_parsec, repo: "hexpm", optional: false]}], "hexpm", "28b2cbdc13960a46ae9a8858c4bebdec3c9a6d7b4b9e7f4ed1502f8159f338e7"},
   "makeup_erlang": {:hex, :makeup_erlang, "0.1.1", "3fcb7f09eb9d98dc4d208f49cc955a34218fc41ff6b84df7c75b3e6e533cc65f", [:mix], [{:makeup, "~> 1.0", [hex: :makeup, repo: "hexpm", optional: false]}], "hexpm", "174d0809e98a4ef0b3309256cbf97101c6ec01c4ab0b23e926a9e17df2077cbb"},
   "metrics": {:hex, :metrics, "1.0.1", "25f094dea2cda98213cecc3aeff09e940299d950904393b2a29d191c346a8486", [:rebar3], [], "hexpm", "69b09adddc4f74a40716ae54d140f93beb0fb8978d8636eaded0c31b6f099f16"},
   "mime": {:hex, :mime, "2.0.3", "3676436d3d1f7b81b5a2d2bd8405f412c677558c81b1c92be58c00562bb59095", [:mix], [], "hexpm", "27a30bf0db44d25eecba73755acf4068cbfe26a4372f9eb3e4ea3a45956bff6b"},
   "mimerl": {:hex, :mimerl, "1.2.0", "67e2d3f571088d5cfd3e550c383094b47159f3eee8ffa08e64106cdf5e981be3", [:rebar3], [], "hexpm", "f278585650aa581986264638ebf698f8bb19df297f66ad91b18910dfc6e19323"},
+  "mint": {:hex, :mint, "1.4.2", "50330223429a6e1260b2ca5415f69b0ab086141bc76dc2fbf34d7c389a6675b2", [:mix], [{:castore, "~> 0.1.0", [hex: :castore, repo: "hexpm", optional: true]}, {:hpax, "~> 0.1.1", [hex: :hpax, repo: "hexpm", optional: false]}], "hexpm", "ce75a5bbcc59b4d7d8d70f8b2fc284b1751ffb35c7b6a6302b5192f8ab4ddd80"},
   "mix_test_watch": {:hex, :mix_test_watch, "1.1.0", "330bb91c8ed271fe408c42d07e0773340a7938d8a0d281d57a14243eae9dc8c3", [:mix], [{:file_system, "~> 0.2.1 or ~> 0.3", [hex: :file_system, repo: "hexpm", optional: false]}], "hexpm", "52b6b1c476cbb70fd899ca5394506482f12e5f6b0d6acff9df95c7f1e0812ec3"},
-  "mox": {:hex, :mox, "1.0.2", "dc2057289ac478b35760ba74165b4b3f402f68803dd5aecd3bfd19c183815d64", [:mix], [], "hexpm", "f9864921b3aaf763c8741b5b8e6f908f44566f1e427b2630e89e9a73b981fef2"},
+  "nimble_options": {:hex, :nimble_options, "0.5.2", "42703307b924880f8c08d97719da7472673391905f528259915782bb346e0a1b", [:mix], [], "hexpm", "4da7f904b915fd71db549bcdc25f8d56f378ef7ae07dc1d372cbe72ba950dce0"},
   "nimble_parsec": {:hex, :nimble_parsec, "1.2.3", "244836e6e3f1200c7f30cb56733fd808744eca61fd182f731eac4af635cc6d0b", [:mix], [], "hexpm", "c8d789e39b9131acf7b99291e93dae60ab48ef14a7ee9d58c6964f59efb570b0"},
+  "nimble_pool": {:hex, :nimble_pool, "0.2.6", "91f2f4c357da4c4a0a548286c84a3a28004f68f05609b4534526871a22053cde", [:mix], [], "hexpm", "1c715055095d3f2705c4e236c18b618420a35490da94149ff8b580a2144f653f"},
   "nimble_totp": {:hex, :nimble_totp, "0.2.0", "010ad5a6627f62e070f753752680550ba9e5744d96fc4101683cd037f1f5ee18", [:mix], [], "hexpm", "7fecd15ff14637ccd2fb3bda68476a6a7f107af731c51b1714436b687e5b50b3"},
   "number": {:hex, :number, "1.0.3", "932c8a2d478a181c624138958ca88a78070332191b8061717270d939778c9857", [:mix], [{:decimal, "~> 1.5 or ~> 2.0", [hex: :decimal, repo: "hexpm", optional: false]}], "hexpm", "dd397bbc096b2ca965a6a430126cc9cf7b9ef7421130def69bcf572232ca0f18"},
-  "openid_connect": {:git, "https://github.com/firezone/openid_connect.git", "6b6b91e25f5153bfa3bcca25be356924806eec13", []},
+  "openid_connect": {:git, "https://github.com/firezone/openid_connect.git", "ca968b86d7768e232e3659b62181afb8e1d514a5", [branch: "andrew/rewrite"]},
   "parse_trans": {:hex, :parse_trans, "3.3.1", "16328ab840cc09919bd10dab29e431da3af9e9e7e7e6f0089dd5a2d2820011d8", [:rebar3], [], "hexpm", "07cd9577885f56362d414e8c4c4e6bdf10d43a8767abb92d24cbe8b24c54888b"},
   "phoenix": {:hex, :phoenix, "1.7.0-rc.1", "28d6591441347ba68da9750771cec6fe18ce040c91095a46d5d332804d5037d5", [:mix], [{:castore, ">= 0.0.0", [hex: :castore, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: true]}, {:phoenix_pubsub, "~> 2.1", [hex: :phoenix_pubsub, repo: "hexpm", optional: false]}, {:phoenix_template, "~> 1.0", [hex: :phoenix_template, repo: "hexpm", optional: false]}, {:phoenix_view, "~> 2.0", [hex: :phoenix_view, repo: "hexpm", optional: true]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.6", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:plug_crypto, "~> 1.2", [hex: :plug_crypto, repo: "hexpm", optional: false]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}, {:websock_adapter, "~> 0.4", [hex: :websock_adapter, repo: "hexpm", optional: false]}], "hexpm", "96d98dcf161b2784fd08a52fd480729a9eeae33773440b4e7a89d1e7e804af52"},
   "phoenix_ecto": {:hex, :phoenix_ecto, "4.4.0", "0672ed4e4808b3fbed494dded89958e22fb882de47a97634c0b13e7b0b5f7720", [:mix], [{:ecto, "~> 3.3", [hex: :ecto, repo: "hexpm", optional: false]}, {:phoenix_html, "~> 2.14.2 or ~> 3.0", [hex: :phoenix_html, repo: "hexpm", optional: true]}, {:plug, "~> 1.9", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "09864e558ed31ee00bd48fcc1d4fc58ae9678c9e81649075431e69dbabb43cc1"},
@@ -76,11 +81,14 @@
   "ssl_verify_fun": {:hex, :ssl_verify_fun, "1.1.6", "cf344f5692c82d2cd7554f5ec8fd961548d4fd09e7d22f5b62482e5aeaebd4b0", [:make, :mix, :rebar3], [], "hexpm", "bdb0d2471f453c88ff3908e7686f86f9be327d065cc1ec16fa4540197ea04680"},
   "sweet_xml": {:hex, :sweet_xml, "0.7.3", "debb256781c75ff6a8c5cbf7981146312b66f044a2898f453709a53e5031b45b", [:mix], [], "hexpm", "e110c867a1b3fe74bfc7dd9893aa851f0eed5518d0d7cad76d7baafd30e4f5ba"},
   "swoosh": {:hex, :swoosh, "1.9.1", "0a5d7bf9954eb41d7e55525bc0940379982b090abbaef67cd8e1fd2ed7f8ca1a", [:mix], [{:cowboy, "~> 1.1 or ~> 2.4", [hex: :cowboy, repo: "hexpm", optional: true]}, {:ex_aws, "~> 2.1", [hex: :ex_aws, repo: "hexpm", optional: true]}, {:finch, "~> 0.6", [hex: :finch, repo: "hexpm", optional: true]}, {:gen_smtp, "~> 0.13 or ~> 1.0", [hex: :gen_smtp, repo: "hexpm", optional: true]}, {:hackney, "~> 1.9", [hex: :hackney, repo: "hexpm", optional: true]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:mail, "~> 0.2", [hex: :mail, repo: "hexpm", optional: true]}, {:mime, "~> 1.1 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:plug_cowboy, ">= 1.0.0", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4.2 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "76dffff3ffcab80f249d5937a592eaef7cc49ac6f4cdd27e622868326ed6371e"},
-  "telemetry": {:hex, :telemetry, "1.2.0", "a8ce551485a9a3dac8d523542de130eafd12e40bbf76cf0ecd2528f24e812a44", [:rebar3], [], "hexpm", "1427e73667b9a2002cf1f26694c422d5c905df889023903c4518921d53e3e883"},
+  "telemetry": {:hex, :telemetry, "1.2.1", "68fdfe8d8f05a8428483a97d7aab2f268aaff24b49e0f599faa091f1d4e7f61c", [:rebar3], [], "hexpm", "dad9ce9d8effc621708f99eac538ef1cbe05d6a874dd741de2e689c47feafed5"},
   "telemetry_metrics": {:hex, :telemetry_metrics, "0.6.1", "315d9163a1d4660aedc3fee73f33f1d355dcc76c5c3ab3d59e76e3edf80eef1f", [:mix], [{:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: false]}], "hexpm", "7be9e0871c41732c233be71e4be11b96e56177bf15dde64a8ac9ce72ac9834c6"},
+  "tesla": {:hex, :tesla, "1.5.0", "7ee3616be87024a2b7231ae14474310c9b999c3abb1f4f8dbc70f86bd9678eef", [:mix], [{:castore, "~> 0.1", [hex: :castore, repo: "hexpm", optional: true]}, {:exjsx, ">= 3.0.0", [hex: :exjsx, repo: "hexpm", optional: true]}, {:finch, "~> 0.13", [hex: :finch, repo: "hexpm", optional: true]}, {:fuse, "~> 2.4", [hex: :fuse, repo: "hexpm", optional: true]}, {:gun, "~> 1.3", [hex: :gun, repo: "hexpm", optional: true]}, {:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: true]}, {:ibrowse, "4.4.0", [hex: :ibrowse, repo: "hexpm", optional: true]}, {:jason, ">= 1.0.0", [hex: :jason, repo: "hexpm", optional: true]}, {:mime, "~> 1.0 or ~> 2.0", [hex: :mime, repo: "hexpm", optional: false]}, {:mint, "~> 1.0", [hex: :mint, repo: "hexpm", optional: true]}, {:msgpax, "~> 2.3", [hex: :msgpax, repo: "hexpm", optional: true]}, {:poison, ">= 1.0.0", [hex: :poison, repo: "hexpm", optional: true]}, {:telemetry, "~> 0.4 or ~> 1.0", [hex: :telemetry, repo: "hexpm", optional: true]}], "hexpm", "1d0385e41fbd76af3961809088aef15dec4c2fdaab97b1c93c6484cb3695a122"},
   "ueberauth": {:hex, :ueberauth, "0.10.3", "4a3bd7ab7b5d93d301d264f0f6858392654ee92171f4437d067d1ae227c051d9", [:mix], [{:plug, "~> 1.5", [hex: :plug, repo: "hexpm", optional: false]}], "hexpm", "1394f36a6c64e97f2038cf95228e7e52b4cb75417962e30418fbe9902b30e6d3"},
   "ueberauth_identity": {:hex, :ueberauth_identity, "0.4.2", "1ef48b37428d225a2eb0cc453b0d446440d8f62c70dbbfef675ed923986136f2", [:mix], [{:plug, "~> 1.0", [hex: :plug, repo: "hexpm", optional: false]}, {:ueberauth, "~> 0.7", [hex: :ueberauth, repo: "hexpm", optional: false]}], "hexpm", "134354bc3da3ece4333f3611fbe283372134b19b2ed8a3d7f43554c6102c4bff"},
   "unicode_util_compat": {:hex, :unicode_util_compat, "0.7.0", "bc84380c9ab48177092f43ac89e4dfa2c6d62b40b8bd132b1059ecc7232f9a78", [:rebar3], [], "hexpm", "25eee6d67df61960cf6a794239566599b09e17e668d3700247bc498638152521"},
+  "wallaby": {:hex, :wallaby, "0.30.1", "81342a34080867ab359aca23de4d1d8c6bbdeb35d8ce2a8c42e42b758d539963", [:mix], [{:ecto_sql, ">= 3.0.0", [hex: :ecto_sql, repo: "hexpm", optional: true]}, {:httpoison, "~> 0.12 or ~> 1.0", [hex: :httpoison, repo: "hexpm", optional: false]}, {:jason, "~> 1.1", [hex: :jason, repo: "hexpm", optional: false]}, {:phoenix_ecto, ">= 3.0.0", [hex: :phoenix_ecto, repo: "hexpm", optional: true]}, {:web_driver_client, "~> 0.2.0", [hex: :web_driver_client, repo: "hexpm", optional: false]}], "hexpm", "457251df6a94ff80816524136edbce6400cb1ee979586c90224ff634e9543d78"},
+  "web_driver_client": {:hex, :web_driver_client, "0.2.0", "63b76cd9eb3b0716ec5467a0f8bead73d3d9612e63f7560d21357f03ad86e31a", [:mix], [{:hackney, "~> 1.6", [hex: :hackney, repo: "hexpm", optional: false]}, {:jason, "~> 1.0", [hex: :jason, repo: "hexpm", optional: false]}, {:tesla, "~> 1.3", [hex: :tesla, repo: "hexpm", optional: false]}], "hexpm", "83cc6092bc3e74926d1c8455f0ce927d5d1d36707b74d9a65e38c084aab0350f"},
   "websock": {:hex, :websock, "0.4.3", "184ac396bdcd3dfceb5b74c17d221af659dd559a95b1b92041ecb51c9b728093", [:mix], [], "hexpm", "5e4dd85f305f43fd3d3e25d70bec4a45228dfed60f0f3b072d8eddff335539cf"},
   "websock_adapter": {:hex, :websock_adapter, "0.4.5", "30038a3715067f51a9580562c05a3a8d501126030336ffc6edb53bf57d6d2d26", [:mix], [{:bandit, "~> 0.6", [hex: :bandit, repo: "hexpm", optional: true]}, {:plug, "~> 1.14", [hex: :plug, repo: "hexpm", optional: false]}, {:plug_cowboy, "~> 2.6", [hex: :plug_cowboy, repo: "hexpm", optional: true]}, {:websock, "~> 0.4", [hex: :websock, repo: "hexpm", optional: false]}], "hexpm", "1d9812dc7e703c205049426fd4fe0852a247a825f91b099e53dc96f68bafe4c8"},
   "wireguardex": {:hex, :wireguardex, "0.3.6", "163b72693ecb710473c40d3dec3c4c150ba1e7c85ac137114feb93033198c935", [:mix], [{:rustler, ">= 0.0.0", [hex: :rustler, repo: "hexpm", optional: true]}, {:rustler_precompiled, "~> 0.5.1", [hex: :rustler_precompiled, repo: "hexpm", optional: false]}], "hexpm", "1bbe747178265b5f5182aa46a61994635a31a6548cf5a965efbf827e7263c673"},